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Abstract 

Proof-carrying  code  and  typed  assembly  languages  aim  to  mini¬ 
mize  the  trusted  computing  base  by  directly  certifying  the  actual 
machine  code.  Unfortunately,  these  systems  cannot  get  rid  of  the 
dependency  on  a  trusted  garbage  collector.  Indeed,  constructing  a 
provably  type-safe  garbage  collector  is  one  of  the  major  open  prob¬ 
lems  in  the  area  of  certifying  compilation. 

Building  on  an  idea  by  Wang  and  Appel,  we  present  a  series  of 
new  techniques  for  writing  type-safe  stop-and-copy  garbage  collec¬ 
tors.  We  show  how  to  use  intensional  type  analysis  to  capture  the 
contract  between  the  mutator  and  the  collector,  and  how  the  same 
method  can  be  applied  to  support  forwarding  pointers  and  gener¬ 
ations.  Unlike  Wang  and  Appel  (which  requires  whole-program 
analysis),  our  new  framework  directly  supports  higher-order  fun- 
tions  and  is  compatible  with  separate  compilation;  our  collectors 
are  written  in  provably  type-safe  languages  with  rigorous  seman¬ 
tics  and  fully  formalized  soundness  proofs. 

1.  Introduction 

The  correctness  of  most  type-safe  systems  relies  critically  on 
the  correctness  of  an  underlying  garbage  collector  (GC).  This  also 
holds  for  Proof-Carrying  Code  (PCC)  [13]  and  Typed  Assembly 
Languages  (TAL)  [12] — both  of  which  aim  to  minimize  the  trusted 
computing  base  (TCB)  by  directly  certifying  the  actual  machine 
code.  Unfortunately,  these  systems  cannot  get  rid  of  the  depen¬ 
dency  on  a  trusted  GC.  Indeed,  constructing  a  verifiably  type-safe 
GC  is  widely  considered  as  one  of  the  major  open  problems  in  the 
area  of  certifying  compilation  [11,3]. 

Recently,  Wang  and  Appel  [23]  proposed  to  tackle  the  problem 
by  building  a  tracing  garbage  collector  on  top  of  a  region-based 
calculus.  Our  work  builds  on  theirs  but  makes  the  following  new 
contributions: 

•  We  show  how  to  use  intensional  type  analysis  (ITA)  [19,  8] 
to  accurately  describe  the  contract  between  the  mutator  and 
the  collector  and  how  the  same  framework  can  be  applied  to 
construct  various  different  type-safe  GCs. 

•  Using  ITA  to  typecheck  GC  may  seem  to  be  an  obvious 
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idea  (at  least  to  some  people),  however,  none  of  the  previ¬ 
ous  work  [21,  15,  19]  have  succeeded  in  getting  it  to  work. 
Indeed.  Wang  and  Appel  [23]  subsequently  gave  up  on  us¬ 
ing  ITA.  We  show  why  the  problem  is  nontrivial  (see  Sec¬ 
tion  2.2)  and  how  to  modify  the  basic  ITA  framework  to  solve 
the  problem. 

•  Wang  and  Appel’s  collector  [23]  relies  on  whole-program 
analysis  and  code  duplication  to  support  higher-order  and 
polymorphic  languages — this  breaks  separate  compilation  and 
is  impractical.  We  show  how  to  use  runtime  type  analysis 
to  write  our  GC  as  a  library  (thus  no  code  duplication)  and 
how  to  directly  support  higher-order  functions  and  polymor¬ 
phism. 

•  We  expose  in  detail  how  to  implement  and  certify  efficient 
forwarding  pointers.  Making  them  type-safe  is  surprisingly 
subtle  (see  Section  7).  Wang  and  Appel  [23]  also  claim  to 
support  forwarding  pointers  but  their  scheme  is  less  efficient 
and  it  is  unclear  whether  it  is  sound. 

•  We  also  show  how  to  handle  generations  with  a  simple  ex¬ 
tension  of  our  base  calculus. 

•  A  garbage  collector  is  type-safe  only  if  it  is  written  in  a  prov¬ 
ably  type-safe  language.  We  have  complete  type-soundness 
proofs  for  all  our  calculi  (see  Appendix).Wang  and  Appel’s 
collectors  [23,  22],  on  the  other  hand,  are  not  fully  formal¬ 
ized. 

Although  our  paper  is  theoretical  in  nature,  we  believe  it  will  be 
of  great  interests  to  the  general  audience,  especially  those  who  are 
looking  to  apply  new  language  theory  to  solve  important  practical 
problems  such  as  mobile-code  safety  and  certifying  compilation. 
We  have  started  implementing  our  type-safe  GCs  in  the  FLINT 
system  [16],  however,  making  the  implementation  realistic  still  in¬ 
volves  solving  the  remaining  problems  (e.g.,  breadth-first  copying, 
remembered  sets,  and  data  structures  with  cycles,  which  we  still 
cannot  support  satisfactorily)  thus  is  beyond  the  scope  of  this  pa¬ 
per.  Nevertheless,  we  believe  our  current  contributions  constitute  a 
significant  step  towards  the  goal  of  providing  a  practical  type-safe 
garbage  collector. 

2.  Motivation  and  background 

Why  do  we  want  a  type-safe  garbage  collector? 
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The  explosive  growth  of  the  Internet  has  induced  newfound  in¬ 
terest  in  mobile  computation  as  well  as  security.  Increasingly,  ap¬ 
plications  are  being  developed  at  remote  sites  and  then  downloaded 
for  execution.  A  robust  mobile  code  system  must  allow  code  from 
potentially  untrusted  sources  to  be  executed.  At  the  same  time,  the 
system  must  detect  and  prevent  the  execution  of  malicious  code. 

The  safety  of  such  a  system  depends  not  only  on  the  properties  of 
the  code  being  downloaded,  but  also  on  the  security  of  the  host  sys¬ 
tem  itself,  or  more  specifically,  its  trusted  computing  base  (TCB). 

Proof-carrying  code  [13]  and  typed  assembly  languages  [12]  have 
been  proposed  to  reduce  the  size  of  this  TCB  by  bundling  the  un¬ 
trusted  code  with  a  mechanically  checkable  proof  of  safety,  where 
the  safety  is  usually  defined  as  type-safety.  Such  systems  only  need 
to  trust  their  verifier  and  runtime  system  rather  than  their  whole 
compiler  suite. 

But  all  these  certifying-compiler  projects  (e.g.,  PCC.  TAL)  still 
crucially  rely  on  the  correctness  of  a  tracing  garbage  collector  for 
their  safety.  Recently,  both  Crary  [3]  and  Morrisett  [11]  have  char¬ 
acterized  type-safe  garbage  collection  as  one  of  the  major  open 
problems  in  the  area  of  certifying  compilation. 

A  type-safe  GC  is  not  only  desirable  for  reducing  the  size  of  the 
TCB  but  also  for  making  it  possible  to  ship  custom-tailored  GC 
along  with  mobile  code,  or  to  choose  between  many  more  GC  vari¬ 
ants  without  risking  the  integrity  of  the  system.  Writing  GC  inside 
a  type-safe  language  itself  also  makes  it  possible  to  achieve  princi¬ 
pled  interoperation  between  garbage  collection  and  other  memory- 
management  mechanisms  (e.g.,  those  based  on  malloc-free  and  re¬ 
gions).  Indeed,  one  major  software-engineering  benefit  is  that  a 
type-safe  GC  must  make  explicit  the  contract  between  the  collector 
and  the  mutator  and  it  must  make  sure  that  it  is  always  respected. 
Without  typechecking,  such  rules  can  prove  difficult  to  implement 
correctly  and  bugs  can  be  very  difficult  to  find. 

2.1  The  problem 

Recently,  Wang  and  Appel  [21]  proposed  to  tackle  the  problem 
by  layering  a  stop-and-copy  tracing  garbage  collector  [24]  on  top  of 
a  region  based  calculus,  thus  providing  both  type  safety  and  com¬ 
pletely  automatic  memory  management. 

A  region  calculus  [17]  annotates  the  type  of  every  heap  object 
with  the  region  in  which  it  is  allocated  (such  as  <j\  xp  02  where  p 
is  the  region),  and  thus  allows  to  safely  reclaim  memory  by  freeing 
a  whole  region  if  that  region  does  not  appear  in  any  of  the  currently 
live  types. 

The  basic  idea  in  building  a  type-safe  GC  is  to  concentrate  on 
type-safety  rather  than  correctness.  Rather  than  try  to  prove  that 
the  copy  function  faithfully  copies  all  the  heap,  we  just  need  to 
show  that  it  has  a  type  looking  somewhat  like  Va.(a  — >  (a[T /F] )) 
where  (a[T /F] )  stands  for  the  type  a  where  the  region  annotation  T 
is  substituted  for  F  (see  Fig.  1).  Assuming  we  have  such  a  function 
and  we  don’t  keep  any  reference  to  the  region  F,  the  region  calculus 
will  allow  us  to  safely  reclaim  F. 

Clearly,  there  is  no  correctness  guarantee  in  sight  since  the  value 
returned  by  that  copy  function  might  have  a  completely  different 
value  or  might  not  faithfully  reproduce  the  original  graph,  but  it 
ensures  type-safe  execution  of  the  whole  mutator-collector  system 
and  even  offers  a  form  of  type-preservation  guarantee. 

The  main  problem  is  clearly  to  write  this  copy  function  which 
needs  to  trace  through  arbitrary  heap  structures  at  runtime.  There¬ 
fore,  the  language  needs  to  support  some  form  of  runtime  type  in¬ 
formation  in  order  to  do  the  actual  copy. 

In  their  followup  paper  [23],  Wang  and  Appel  suggest  to  cir¬ 
cumvent  the  problem  of  runtime  type  information  using  a  mix  of 
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Figure  1:  Stop-and-Copy  from  region  F  to  region  T. 

GC  is  written  in  continuation  passing  style  (CPS).  It  takes  the  cur¬ 
rent  region,  the  heap  and  a  continuation  and  begins  by  allocating 
a  new  region  T  with  “let  region  T  in  e”.  It  then  copies  the  heap 
into  this  new  region  and  then  frees  the  old  region  implicitly  with 
“only  T  in  e”  which  tells  the  region  management  that  all  regions  but 
T  can  be  reclaimed.  This  way  of  freeing  regions  was  introduced  by 
Wang  and  Appel  to  circumvent  problems  linked  to  aliasing  of  re¬ 
gions. 


monomorphization  and  defunctionalization  (a  form  of  closure  con¬ 
version  due  to  Tolmach  [1 8])  to  simplify  the  problem  to  a  monomor- 
phic  first  order  calculus.  However,  this  approach  suffers  from  sev¬ 
eral  major  drawbacks: 

•  Most  importantly,  it  is  not  generally  applicable  and  requires 
whole  program  analysis  which  rule  out  separate  compilation. 

•  It  can  introduce  a  significant  code  size  increase  and  forces  the 
use  of  separate  specialized  GC  and  copy  functions  for  each 
type  appearing  in  the  program.  Instead  of  the  promised  flex¬ 
ibility  to  choose  among  various  GC  variants,  this  approach 
locks  you  into  a  single  100%  tailor  made  collector. 

•  Finally,  although  their  type-safe  GC  does  properly  formal¬ 
ize  the  interaction  between  the  mutator  and  the  collector,  the 
formalization  is  hidden  inside  the  compiler  and  hence  does 
not  allow  to  bring  out  open  the  overly  intimate  relationship 
between  the  GC  and  the  compiler. 

They  also  try  to  preserve  sharing  using  forwarding  pointers.  The 
rough  sketch  of  the  solution  they  propose  is  similar  to  the  one  we 
developed  (which  is  done  independently).  It  relies  mostly  on  a  very 
powerful  form  of  cast  which  allows  some  amount  of  covariant  sub¬ 
typing  of  references.  Making  sure  that  this  cast  is  sufficiently  con¬ 
strained  to  be  safe  is  difficult.  Their  informal  presentation  is  incom¬ 
plete  and  possibly  incorrect,  and  leaves  many  important  questions 
unanswered. 

2.2  Our  solution 

We  want  to  do  away  with  any  form  of  whole  program  analysis 
so  as  to  make  the  mutator  and  the  collector  independent  in  order  to 
reap  the  promised  benefits  of  more  flexibility  and  clearer  interac¬ 
tion  between  mutator  and  GC. 
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In  this  paper,  we  present  a  different  approach  for  writing  the  copy 
function,  relying  on  runtime  type  analysis.  The  return  type  of  copy 
(q[T/F],  a  form  of  Typerec)  as  well  as  the  need  to  observe  types 
at  runtime  leads  one  very  naturally  to  use  intensional  type  analysis 
(ITA).  In  fact,  an  early  paper  of  Wang  and  Appel  [21]  was  titled 
“safe  garbage  collection  =  regions  +  intensional  type  analysis;”  but 
they  failed  to  make  it  work,  and  they  subsequently  gave  up  on  us¬ 
ing  ITA  and  ended  up  opting  for  the  lower-tech  solution  mentioned 
above  [23].  Saha  et  al.  [15,  19]  also  tried  to  use  ITA  to  write  the 
copy  function,  but  their  attempt  is  missing  crucial  details  and  didn’t 
really  work  either. 

2.2.1  A  case  for  symmetry 

So  what  is  the  problem?  It  seems  that  ITA  provides  us  with  just 
the  right  tools.  We  can  for  example  write  a  simple  Typerec  such 
as  Stif(c)  which  substitutes  T  for  F  and  then  use  typecase  in  the 
body  of  copy. 

But  that  means  that  the  type  grows  each  time  we  go  through 
the  GC,  from  o  to  St.f(o')  to  Sp.t(St.f(°'))  •  •  •  ■  This  may  seem 
unimportant  since  S  should  be  reduced  away  anyway.  But  Sp.t(o:) 
cannot  be  reduced  further  until  a  is  instantiated:  3q.Sj,f(q)  is  a 
normal  form.  So  the  accumulation  of  S  operators  is  a  real  problem, 
since  SPif(o)  is  not  equal  to  Sp,t(St,f(o:)). 

We  could  arrange  for  Spj(St,f(c))  to  reduce  to  Sp,F(rr).  But 
then  all  types  become  Sp,f(c)  (where  F  is  the  “initial  region”)  ex¬ 
cept  before  the  first  collection.  Also  it  is  very  ad-hoc  and  only 
works  as  long  as  S  is  a  quasi-identity. 

A  better  approach  is  to  ensure  that  the  input  and  output  types  are 
symmetric.  We  first  redefine  Sp  (o)  which  simply  substitutes  p  for 
any  region  annotation  (why  bother  with  an  initial  region)  and  then 
redefine  copy  to  have  type  VF.VT.Va.(SF(a)  — >  Sj(a))  which 
gets  us  rid  of  the  special  case  before  the  first  collection  and  does  not 
require  any  special  reduction  rule  for  S  since  GC  does  not  increase 
the  size  of  the  type  any  more. 

2.2.2  A  case  for  tags 

The  above  solution  looks  good  until  we  try  to  copy  an  existential 
package  3a :  {F}.Sp(a)  to  3a :  {T}.S-r(a). 

Type  variables  hide  region  annotations,  so  we  need  to  annotate 
their  kinds  with  the  relevant  region  information.  We  write  it  “a  : 
A”  to  mean  that  a  can  only  range  over  types  that  refer  exclusively 
to  the  regions  included  in  A. 

So,  by  opening  the  existential  package,  we  can  get  the  value  o 
of  a  and  the  value  of  type  Sf(ct),  and  a  recursive  call  to  copy  will 
return  St(<t),  but  how  can  we  construct  the  new  existential  package 
?  Reusing  o  as-is  will  not  do  since  o  is  not  constrained  to  {T}  but  to 
{  F} .  We  would  want  to  use  Sj(a)  but  that  cannot  work  either;  the 
only  correctly  typed  package  we  can  produce  is  (a  =  Sr(cr),  v:a ) 
which  has  type  3a :  {T}.a. 

We  are  again  pushing  a  new  S  onto  the  type  rather  than  replac¬ 
ing  an  S  with  another.  So  we  can  again  arrange  for  Sj(Sf(ct))  to 
reduce  to  St(<t),  but  we  really  do  not  want  to  tie  our  hands  with 
such  an  ad-hoc  and  restrictive  scheme. 

Instead,  we  can  pay  a  bit  more  attention  to  what  we  do  and  ob¬ 
serve  that  Sp  (o)  makes  region  annotations  on  o  completely  use¬ 
less,  so  instead  of  hying  to  get  those  annotations  right  only  to 
see  them  substituted  we  can  simply  define  a  parallel  set  of  non- 
annotated  types  r  (that  we  will  call  tags).  Since  tags  have  no  re¬ 
gion  annotations,  we  can  hide  them  in  tag  variables  without  any 
A  constraint,  which  side-steps  the  problem  of  copying  existentials 
conveniently. 

Such  a  split  between  types  and  tags  is  not  a  new  concept  since 


it  was  already  used  in  the  work  on  intensional  type  analysis  where 
tags  were  called  constructors  [8,  5],  But  here,  tags  take  on  more 
significance  since  they  correspond  to  a  source-level  notion  of  type 
and  will  be  mapped  to  different  actual  types  with  different  type 
functions  M  (formerly  S)  which  are  used  to  encapsulate  all  the 
constraints  that  mutator  data  has  to  satisfy  in  order  for  the  collec¬ 
tor  to  do  its  job.  As  you  will  see  in  sections  7  and  8  we  will  use 
a  non-trivial  M  mapping  to  force  the  mutator  to  provide  space  for 
forwarding  pointers  and  to  enforce  the  invariant  that  references  do 
not  point  from  the  old  generation  to  the  new. 

3.  Source  language  A clos 

For  simplicity  of  the  presentation,  the  source  language  we  pro¬ 
pose  to  compile  and  garbage  collect  is  the  simply  typed  A-calculus. 

In  order  to  be  able  to  use  our  region  calculus,  we  need  to  convert 
the  source  program  into  a  continuation  passing  style  form  (CPS). 
And  we  also  need  to  close  our  code  to  make  all  data  manipulation 
explicit,  so  we  turn  all  closures  into  existential  packages. 

We  won’t  go  into  the  details  of  how  to  CPS  convert  that  source 
language  [7].  Similarly,  for  the  closure  conversion  using  existen¬ 
tials  [10,  9], 

The  language  used  after  CPS  conversion  and  closure  conversion 
is  the  language  A  clos  shown  below. 

{types)  t  ::=  Int  |  t  |  n  x  T2  |  r  — >  0  |  3f.r 

(values)  v  ::=  n  \  f  \  x  \  (01,02)  |  (f  =  ti,  v :  T2) 

(terms)  e  ::=  let  x  =  v  in  e  |  let  x  =  mv  in  e 

vi(n2)J_opervn_as^f,  *}  in  e  |  halt  v 
(programs)  p  ::=  letrec  /  =  A(x:r).e  in  e 

Since  functions  are  in  CPS,  they  never  return,  which  we  repre¬ 
sent  with  the  arbitrary  return  type  0.  To  represent  closures,  the  lan¬ 
guage  includes  existential  packages  constructed  by  (t  =  ri,  v  1x2) 
and  of  type  (3f.T2).  The  open  v  as  (t,x)  in  e  construct  takes  an 
existential  package  v,  binds  the  witness  type  to  t  and  the  value  to 
x,  and  then  executes  e.  The  complete  program  consists  of  a  list 
of  mutually  recursive  closed  function  declarations  followed  by  the 
main  term  to  be  executed. 


4.  Target  language  A gc 

The  language  used  to  write  the  garbage-collector  (and  into  which 
we  translate  A  clos  programs)  is  shown  in  Fig.  2.  It  extends  A  clos 
with  regions  [17]  and  intensional  type  analysis  [8,  19].  Functions 
are  also  fully  closed  and  use  CPS  but  they  can  additionally  be  poly¬ 
morphic  over  tags  and  regions. 

4.1  Regions 

Our  region  calculus  uses  “references”  denoted  u.£  of  type  (o  at  p) 
rather  than  annotations  like  cti  x  p 02  (which  is  written  (<ti  x  02 )  at  p 
instead).  Similarly,  object  allocation  and  memory  accesses  are  made 
explicit  with  put  and  get.  This  was  only  preferred  because  of  its 
orthogonality. 

Region  allocation  and  reclamation  is  done  with  let  region  and 
only.  Deallocation  of  a  region  is  implicit  since  only  lists  the  regions 
that  should  be  kept.  This  neatly  works  around  aliasing  problems, 
at  the  cost  of  a  more  expensive  deallocation  operation  (only  needs 
to  go  through  the  list  of  all  regions  to  find  which  ones  need  to  be 
reclaimed).  In  our  case,  we  have  very  few  regions  and  deallocate 
them  only  occasionally,  so  it  is  a  good  tradeoff. 
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( tenv ) 

0  : 

:=  ■  |  0,f :/t 

( venv ) 

T  : 

:=-|r,a;:cr 

( renv ) 

A  : 

:=  •  1  A  ,p 

(a  env ) 

$  : 

:=  ■  <f\a:  A 

(. region  types) 

T  : 

:=  {£i  :ai, . . .  ,£n:on} 

{mem  types) 

: 

:=  {cd:  Tccj ,  v-l  :Ti, .  .  .  , 

{ regions ) 

R  : 

:=  {(ih*»i,...,4i->  vn} 

(memories) 

M  : 

•  —  { Cd  1  -  Rqq j  i  1  r  Rl ,  •  •  ■  ,  On  1  >  Rn  } 

(states) 

P  : 

:=  (M,  e) 

(regions) 

P  : 

:=  v  |  r 

(kinds) 

K 

:=  Q  |  fi  — ►  Q 

(tags) 

T 

:=  1 1  Int  |  n  x  T2  |  t  — >  0  |  3 t.r 

Xt.T  TlT2 

(types) 

a 

:=  int  |  (7i  X  o2  |  V[f :  k]  [r]  (a)  —>  0 

|  3t  :k.ct  |  o  at  p  |  Mp(r)  |  a 

1  VJfl[r](<7)  0  |  3a:  A. a 

(values) 

V 

\=  n\x\v.t  \  (vi,v2)  |  (t  =  r,v:a)  \  u[rj 

|  (a:  A  =  ai,v:a2)  \  X[t :  K][r\(xV&)  .e 

( operations ) 

op 

:=  v\mv\  put[p]n  get  v 

(terms) 

e  : 

:=  w[r][p](u)  |  let  x  =  op  in  e  |  halt  v 

ifgc  pe i  e2  |  open  v  as  ( t ,  x)  in  e 

|  open  v  as  (a,  x)  in  e  |  let  region  r  in  e 
j  only  A  in  e 

|  typecase  t  of  (ej ;  ex;  fife-ex  ;te.ea) 

( tagnf)  r'  ::=  t\  lnt|  t'  — ►  0  |  t[  x  t2  3f.r'  |  At.r' 

I  tr' 

Figure  2:  Syntax  of  Agg 

4.2  Intensional  type  analysis 

As  explained  earlier,  we  have  split  the  notion  of  type  into  two. 
Tags  represent  the  runtime  type  descriptors  and  map  very  directly 
to  source-level  types  without  any  region  annotations.  The  only  dif¬ 
ferent  between  A clos  types  and  A gc  tags  is  the  addition  of  tag 
functions  A t.r  and  tag  applications  T1T2,  which  are  needed  for  type 
analysis  of  existentials  [19].  To  do  the  actual  analysis  of  tags,  terms 
include  a  refining  typecase  construct,  i.e.  a  more  refined  tag  is 
substituted  for  r  in  each  arm  of  the  typecase.  Finally,  instead  of  a 
full-blown  Typerec  construct  we  only  provide  a  hard  coded  M,  to 
keep  the  presentation  simpler.  Mp(t)  is  the  type  corresponding  to 
the  tag  r  complemented  with  region  annotations  p: 

Mp(lnt)  =>  int 

Mp(n  x  T2)  =>  (Mp(n)  x  Mp(t2))  at  p 
Mp(3f.r)  =>  (3f :  fl.Mp(r))  at  p 
Mp(r  — +  0)  =>■  V[][r](Mr(r))  — ►  0  at  cd 

This  definition  of  M  forces  the  mutator  to  maintain  the  invariant 
that  all  objects  are  allocated  in  the  same  region,  which  is  all  our 
garbage  collector  requires. 

4.3  Functions  and  code 

Since  programs  in  A  gc  are  completely  closed,  we  can  separate 
code  from  data.  The  memory  configuration  enforces  this  by  having 
a  separate  dedicated  region  cd  for  code  blocks.  The  indirection 
provided  by  memory  references  allows  us  to  do  away  with  letrec. 
A  value  A[£j[r|(5rTcf).e  is  only  an  array  of  instiuctions  (which  can 
contain  references  to  other  values  in  cd )  and  needs  to  be  put  into  a 
region  to  get  a  function  pointer  before  one  can  call  it.  In  practice, 


[  F  h  A  clos  =»  Ago  ] 

F  \-v  n  =>  n  F  b„  /  =>■  cd -F(f)  F  \-v  x  =$>  x 

F  \-v  vi  =>  v[  F  h„  V2  =>  v2 
F\-v  (vi,v2)  =>  put[r](vj,  t4) 

F  v  =>  v' 

F  \-v  (t  =  T1,v.T2)  =>■  put[r](f  =  n,u' :Mr(r2)) 

F  \-v  vi  =>  v[  F  h v  v2  =>  v'2  F  h®  v  =>■  v' 

F  he  vi(v2)  =>  wi[][r]('y2)  F  \-e  halt  v  =>  halt  v' 

F  he  e  =>  e!  F  \-v  v  =>  v' 

F  \-e  open  v  as  (t,  x)  in  e  =>  open  (get  v')  as  (t,  x }  in  e' 

F  he  e  =>  e!  F  \-v  v  =>  v' 

F  he  let  x  =  v  in  e  =>  let  x  =  v'  in  e' 

F  he  e  =>  e'  F  v  =>  v' 

F  l-e  let  x  =  ix iV  in  e  =>  let  x  =  7^  (get  v')  in  e' 

F  he  e  =>  e'  t=  F(f) 

F  \-f  f  =  A (x-.r).e  =>  A[][r](a;:Mr(r)).ifgc  r  (pc[r][r]( cd.£,x))  e! 

F  =  {fj~t i,...}  Fhf  fi  =  \(x:T).e=>  f'  F  he  e  =>  e' 

l-p  letrec  /  =  A (x:r).e  in  e 

=>  ({cd  {h  i — >  /i ,  -  -  •}},  let  region  r  in  e') 

Figure  3:  Translation  of  A  clos  terms. 

functions  are  placed  into  the  cd  region  when  translating  code  from 
A  clos  and  never  directly  appear  in  A  gc  code. 

5.  Translating  A  clos  to  XGC 

The  translation  of  terms  from  A  clos  to  A  gc  shown  in  figure  3 
is  mostly  directed  by  the  type  translation  Mp  presented  earlier:  each 
function  takes  the  current  region  as  an  argument  and  begins  by 
checking  if  a  garbage  collection  is  necessary.  All  operations  on 
data  are  slightly  rewritten  to  account  for  the  need  to  allocate  them 
in  the  region  or  to  fetch  them  from  the  region. 

For  example  a  A  clos  function  like: 

fix  swap(at:int  x  int). 

let  x  1  =  7na;  in  let  x2  =  tx2x  in  let  x'  =  (x2,  xl)  in  halt  0 
would  turn  into  the  following  Agc  function  (apart  from  some  syn- 
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fix  gc[t:Q] [n](/ :V[][r](Mr(f))  ->  0,*:  Mri  (£)). 

let  region  r2  in 

let  y  =  copy[t] [ri,  r2](a:)  in 

only  {r2}  in/[][r2](j/) 

fix  copt/[t:S7][ri,r2](:r:Mri(f))  :  M,2(t). 

typecase  f  of 
int  =>  x 

A  =>  x 

ti  x  t?  =>  let  xi  =  copy[ti][ri,  r2](7ri(get  x))  in 
let  X2  =  copy[t2][ri,r2](7r2(getx))  in 
put[r2](*i,  *2) 

3 te  =a  open  (get  x)  as  (t,  y)  in 

let  z  =  copy[tet\  [»'i ,  r2]  (y)  in 
put[r2]  ( t  =  t,z :  Mr2  ( tet )} 

Figure  4:  The  garbage  collector  proper. 

tactic  conveniences): 

fix  swap[][r](x :  (Int  x  Int)  atr). 
ifgc  r  (gcflnt  x  Int]  [r] (swap,  x)) 
let  x  =  get  x  in 
let  a;l  =  7rix  in 
let  x2  =  tv2x  in 
let  x'  =  put[r](a:2,  xl)  in 
halt  0 

An  important  detail  here  is  that  the  garbage  collector  receives  the 
tag  t  rather  than  the  type  a  of  the  argument.  The  garbage  collector 
receives  the  tags  for  analysis  as  they  were  in  A clos  rather  than 
as  they  are  translated  in  A gc-  This  maintains  a  clear  distinction 
between  the  types  the  programmer  thinks  he  manipulates  and  the 
real  types  they  map  to. 

Another  interesting  detail  is  that  if  the  region  is  full,  the  function 
calls  the  garbage  collector  with  itself  as  the  return  function.  I.e. 
when  the  collection  is  finished,  the  collector  will  jump  back  to  the 
function  which  will  then  redo  the  check.  We  could  instead  call  the 
garbage  collector  with  another  function  as  argument.  That  would 
save  us  from  redoing  the  ifgc  but  would  require  many  tiny  functions 
which  are  just  not  worth  bothering  with. 

The  translation  in  figure  3  uses  A  gc  in  a  somewhat  loose  way 
to  keep  the  presentation  concise.  More  specifically,  it  will  gen¬ 
erate  terms  such  as  let  x  =  7r,(get  v )  in  e  instead  of  let  x'  = 
get  v  in  let  x  =  itix'  in  e.  Turning  such  code  back  into  the  strict 
A  gc  is  immediate. 

On  the  other  hand,  the  garbage  collection  code  in  figure  4  uses 
not  only  some  syntactic  sugar  but  even  resorts  to  using  a  direct- 
style  presentation  of  the  copy  function.  This  is  only  for  clarity  of 
presentation,  of  course.  As  can  be  seen  in  figure  12  in  the  appendix, 
the  code  after  CPS  and  closure  conversion  is  a  lot  more  difficult 
to  read,  partly  because  of  the  need  to  do  a  form  of  typed  closure 
conversion  [10], 

The  garbage  collector  itself  is  very  simple:  it  first  allocates  the  to 
region,  asks  copy  to  move  everything  into  it  and  then  free  the  from 
region  before  jumping  to  its  continuation,  using  the  new  region. 

The  copy  function  is  similarly  straightforward,  recursing  over 
the  whole  heap  and  copying  in  a  depth-first  way.  Clearly,  the  direct 
style  here  hides  the  stack.  When  the  code  is  CPS  converted  and 
closed  (as  shown  in  the  appendix),  we  have  to  allocate  that  stack 
of  continuations  in  an  additional  temporary  region  and  unless  our 
language  is  extended  with  some  notion  of  stack,  none  of  those  con¬ 
tinuations  would  be  collected  until  the  end  of  the  whole  garbage 


collection.  The  size  of  this  temporary  region  can  be  bounded  by 
the  size  of  the  to  region  since  we  can't  allocate  more  than  one  con¬ 
tinuation  per  copied  object,  so  it  is  still  algorithmically  efficient, 
although  this  memory  overhead  is  a  considerable  shortcoming. 

6.  A  closer  look  at  A  gc 

Programs  in  A  gc  use  an  allocation  semantics  which  makes  the 
allocation  of  data  in  memory  explicit.  The  semantics,  defined  in 
Fig.  5,  maps  a  machine  state  P  to  a  new  machine  state  P' .  A  ma¬ 
chine  state  is  a  pair  (M,  e)  of  a  memory  M  and  a  term  e  being 
executed.  A  memory  consists  of  a  set  of  regions;  hence,  it  is  de¬ 
fined  formally  as  a  map  between  region  names  v  and  regions  R.  A 
region,  in  turn,  is  a  map  from  offsets  l  to  storable  values  v.  There¬ 
fore,  an  address  is  given  by  a  pair  of  a  region  and  an  offset  v.t.  We 
assign  a  type  to  every  location  allocated  in  a  region;  T  denotes  a 
region  type.  Finally,  the  memory  type  'P  assigns  a  region  type  to 
every  region  allocated  in  memory. 

6.1  Closure  conversion  and  copy. 

Since  the  source  language  is  monomorphic,  closure  conversion 
need  only  rely  on  existentials.  This  simplicity  is  however  broken  by 
the  copy  function  in  the  garbage  collector  itself  because  this  func¬ 
tion  is  (recursively)  polymorphic.  For  that  reason,  we  also  need  a 
form  of  translucent  type,  namely  V[t]  [f]  ( o )  -A  0.  Closure  con¬ 
version  of  the  CPS  form  of  copy  was  also  the  only  reason  for  intro¬ 
ducing  (a :  A  =  cri,  t; :  cr2). 

6.2  Functions  and  code 

Since  function  bodies  can  contain  references  to  other  functions 
in  cdbut  we  do  not  have  an  easy  way  for  the  garbage  collector  to  an¬ 
alyze  a  function  body  to  trace  through  those  references,  cd  enjoys 
a  special  status.  It  cannot  be  freed  and  can  only  contain  functions, 
no  other  kind  of  data. 

An  alternative  would  be  to  require  all  functions  to  be  fully  closed, 
but  that  would  require  the  addition  of  recursive  types  for  the  envi¬ 
ronment  containing  pointers  to  all  functions  and  passed  around  ev¬ 
erywhere.  It  would  save  us  from  all  that  cd  special  casing,  and 
would  allow  garbage  collecting  code,  but  on  the  other  hand,  it 
would  be  less  realistic  since  it  would  amount  to  disallowing  direct 
function  calls. 

6.3  The  type  calculus 

The  target  language  must  be  expressive  enough  to  write  a  tracing 
garbage  collector.  Since  the  garbage  collector  needs  to  know  the 
type  of  values  at  runtime,  the  language  A  gc  must  support  the  run¬ 
time  analysis  of  types.  Therefore,  conceptually,  types  need  to  play 
a  dual  role  in  this  language.  As  in  the  source  language  A  clos,  they 
are  used  at  compile  time  to  type-check  well  formed  terms.  How¬ 
ever,  they  are  also  used  at  runtime,  as  tags,  to  be  inspected  by  the 
garbage  collector  (and.  in  general,  by  any  type  analyzing  function). 
To  enforce  this  distinction,  we  split  types  into  a  tag  language  and  a 
type  language.  The  tags  correspond  to  the  runtime  entity,  while  the 
types  correspond  to  the  compile  time  entity. 

While  translating  from  A  clos  to  A  gc,  the  tag  for  a  value  must 
be  constructed  from  its  type.  Therefore,  the  tags  in  A  gc,  closely 
resemble  the  type  language  in  the  source.  To  support  the  analysis 
of  these  tags,  we  need  to  add  tag  level  functions  (Af.r)  and  tag  level 
applications  (tti).  In  turn,  this  requires  a  kind  calculus  to  classify 
the  tags. 

Types  are  used  to  classify  terms.  The  type  language  includes  the 
existential  type  for  typing  closures  and  the  code  type  V[f][r](a)  — > 
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(M,  vl[f\[p\{v)) 

(M,v1[t'][p\(  v)) 

where  M(v.l)  =  (A[f :  k]  [r\(x :  a).e) 

( M ,  (f[7l)[r][p](t/)) 

(M,  let  x  =  v  in  e) 

(M,  let  x  =  ni(vi,v2)  in  e) 

(M,  let  x  =  puf[t/]v  in  e) 

(M,  let  x  =  get  v.l  in  e) 

(M,  open  (t  =  r,v:a)  as  (t,x)  in  e) 

(M,open  ( t  =  r',v:a }  as  (t,x)  in  e) 

(M,  open  (a :  A  =  iti,  v : (J2)  as  (a,  x)  in  e) 

(M,  ifgc  p  ei  e2) 

(M,  ifgc  p  ei  e2) 

(M,  let  region  r  in  e) 

(M,  only  A  in  e) 

(M,  typecase  r  of  (ep  e>;  fifa.ex ;  fe.e3)) 

(M,  typecase  Int  of  (ej;eA;fif2.ex;fe.e3)) 

(M, typecase r  Oof  (epeAjtife.exjte-ea)) 
(M,  typecase  n  x  r2  of  (ej;eA;fif2.ex;fe-e3)) 
(M,  typecase  3f.r  of  (ej;eA;tii2.ex;fe.e3)) 


(M,  vl[f][p\{y)) 

( M,e[p,f,v/r,t,x ]) 


(M,v[r\[p\(v)) 

( M,e[v/x ]) 

(M,e[xi/x]) 

(M{v.i  1— >  w},  e[v.i/x\)  where  l  (f:  Dom(M(i ')) 
(M,  e[v/x\)  where  M(v.£)  =  v 
(M,  open  ( t  =  T,v.a }  as  (t,  x)  in  e) 
(M,e[r',v/t,x]) 

(M,e[ai,v/a,x]) 

(M,e  1)  if  pis  full 

(M,  e2)  if  pis  not  full 

(M{u  1 — ^  {}},  e[v/r\)  where  v  Dom(M) 

(M|A,e) 


(M,  typecase  r'  of  (ej;eA;fif2.ex;fe.e3)) 

(M,  ei) 

(M,eA) 

(M,  ex[ri,r2/fi,f2]) 

(M,  e3[Af.r/fe]) 


Figure  5:  Operational  semantics  of  Ace- 


0  for  fully  closed  functions.  Moreover,  types  in  the  target  language 
must  include  the  region  in  which  the  corresponding  value  resides. 
Therefore,  we  use  the  notation  a  at  p  for  the  type  of  a  value  of  type 
a  in  region  p. 

To  reason  about  the  safety  of  programs  in  this  language,  we  will 
often  need  to  assume  that  a  value  resides  in  a  particular  region  only. 
For  example,  after  the  copy  function  is  finished,  we  must  be  able 
to  assume  that  all  the  data  is  contained  only  in  the  new  region;  so 
that  the  old  region  can  be  safely  freed.  Therefore,  to  ensure  type 
safety,  we  must  be  able  to  enforce  this  invariant  at  the  type  level. 
For  this,  we  use  the  built  in  type  operator  M.  The  type  Mp(r)  can 
only  contain  values  that  are  in  region  p.  Notice  that  it  is  a  restricted 
form  of  the  fully  reflexive  Typerec  operator  [19],  Essentially,  it  is 
a  Typerec  that  has  been  hard-wired  into  the  language. 

6.4  The  term  calculus 

The  term  language  must  support  region  based  memory  manage¬ 
ment  and  runtime  type  analysis.  New  regions  are  created  through 
the  let  region  r  in  e  construct  which  allocates  a  new  region  v  at 
runtime  and  binds  r  to  it.  A  term  of  the  form  put[p]x  allocates  a 
value  v  in  the  region  p.  Data  is  read  from  a  region  in  two  ways. 
Functions  are  read  implicitly  through  a  function  call.  Data  may 
also  be  read  through  the  get  v  construct.  Operationally,  the  get 
construct  takes  a  memory  address  v.i  and  dereferences  it. 

Deallocation  is  handled  implicitly  through  the  only  A  in  e  con¬ 
struct  [21],  It  asserts  statically  that  the  expression  e  can  be  eval¬ 
uated  using  the  set  of  regions  bound  to  A'  and  the  code  region, 
which  is  a  subset  of  the  region  variables  currently  in  scope. 

fr|A';A',Cd;0;$|A';r|A,  he  A' C  A 
>?;  A;  0;  <f>;  T  h  only  A'  in  e 

The  memory  is  restricted  to  the  set  of  regions  in  A'  (\1/|A')  and  the 


code  region.  Similarly,  the  other  environments  (<b  and  T)  are  re¬ 
stricted  to  be  well  formed  under  A'  ($|A/  and  T|A/).  At  runtime, 
an  implementation  would  treat  the  set  of  regions  in  A'  as  live  and 
reclaim  other  regions.  Since  the  reclamation  works  on  whole  re¬ 
gions,  the  cost  is  proportional  to  the  number  of  regions.  Since  this 
number  is  usually  small,  it  entails  an  insignificant  runtime  penalty. 
The  dynamic  check  takes  care  of  aliasing.  This  makes  our  system 
significantly  simpler  since  we  can  avoid  the  heavy  type  machinery 
required  to  detect  aliasing  statically. 

The  runtime  type  analysis  is  handled  through  a  typecase  con¬ 
struct.  Depending  on  the  head  of  the  type  being  analyzed,  the 
typecase  chooses  one  of  the  branches  for  execution.  When  an¬ 
alyzing  a  type  variable  t ,  we  refine  types  containing  t  in  each  of  the 
branches  [6], 

0  h  t  :  g 

T';  A;  0;  <f>;  T[int/f]  h  ei[int/f] 


vE<;  A;  0;  <f>;  F  h  typecase  t  of  (ep  eA;  fif2-ex ;  fe.e3) 

In  the  e,  branch,  we  know  that  the  type  variable  t  is  bound  to  Int 
and  can  therefore  substitute  it  away.  A  similar  rule  is  applied  to  the 
other  cases. 

6.5  Formal  properties  of  the  language 

In  this  section,  we  prove  that  type  checking  in  A gc  is  decidable 
and  that  the  calculus  is  sound.  We  omit  the  proofs  due  to  space 
constraints.  The  reader  may  refer  to  the  companion  technical  report 
for  details. 

6.5.1  Type  checking  is  decidable 

Proposition  6.1  Reduction  of  well  formed  types  is  strongly  nor- 
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0  b  n  :  ft  0  b  T2  :  ft 
0  b  n  X  T2  :  ft 


(  0  b  r  :  K  ) 

0(f)  =  K 

I—  Int  :  £7  0  1 ~  t  :  K 

0  b  Ti  :  ft  0,f:ft  b  r  :  ft 

0  b  r  ^  0  :  ft  0  h  3t.r  :  ft 

0,t:ft  hr:ii  0  b  n  :  ft  — >  ft  0  b  r2  :  ft 

0  b  Af.r  :  ft  — >  ft  ©  b  riT2  :  ft 

A;  0;  <f>  b  cr 

_  A;0;$h(7i  A;0;$|-cr2 

A;  0;  <P  b  int  A;  0;  $  h  C7i  X  <72 

{r};trk;-  b  (7j  A;0,t:K;$b(7 

A;  0;  <f>  b  V[t  Trc]  [r|  (?)  ^  0  A;  0;  $  b  3t:K.(7 

A;0;<Pb(7  pG  A  ©brift  p  G  A 
A ;  0 ;  <E>  b  a  at  p  A;  0;  $  b  Mp(r) 

<f>(a)  =  A'  A' C  A  A;  0;  <P,  a :  A'  b  a  A' C  A 
A;  0;  <f>  b  a  A;  0;  <f>  b  3a:A'.cr 

{r};  0;  ■  b  a;  0-b  r,  :  Ki  p  G  A 
A;  0;  $  b  V[t|  [f]  (?)  A  0 

'P;  A;  0;  $;  T  b  v  :  a  \P;  A;  0;  <£>;  Y  b  op  :  a 

r(x)  =  a 

f;A;0;$;rb  n  :  int  f;A;0;$;rbi  :  a 

\P(ixf)  =  a  Dom(x P);  •;  •  b  a  at  v 
f;A;0;$;rbi/.f  :  a  at  v 

cd,  r;  t;  ■  b  <7j  '5|cc|;  cd,  r;  t  :k;  •;  5TT?  b  e 

'P;  A;  0;  <£>;  T  b  A[t :  ft]  [r\(xT&).e  :  V[t :  k] [r] (?)  — >  0 

$;A;0;$;rb»:  V[f  f/c]  [r]  (?)  ^  0  at  p  0  b  n  :  m 
$;A;0;$;rb!)[f|  :  V[f][r|(?[f/t])  A  0 

'P;  A;  0;  $;  r  b  Di  :  (Ji  >P;  A;  0;  <f>;  T  b  V2  :  (72 
VP;  A;  0;  <P;  F  b  (vi,  V2)  :  <7i  X  <72 

'P;  A;  0;  $;  F  b  w  :  (7i  X  <72  'P;  A;  0;  $;  T  b  v  :  (7  at  p 

<P;  A;  0;  <E>;  r  b  7TiV  :  'P;  A;  0;  <P;  F  b  get  V  :  a 

0  b  t:k  $;A;0;$;rbv  :  a[r/t] 

'P;  A;  0;  <P;  F  b  (t  =  r,  v:a)  :  3 t:K.a 

A';  0;  $|A/  b  <P;  A;  0;  <P;  T  b  v  :  C72[(7i/a] 


'P;  A;  0;  <P;  F  b  e  | 

$;A;0;$;rb»:  V[t  f/c]  [r]  (?)  ->  0  at  p 
fP;  A;  0;  <P;  T  b  Vi  :  crf  [p,  f/r,  tj  0  b  t»  :  /cj  p;  G  A 
*P;  A;  0;  <t>;  T  b  v[r][p](v) 

>P;  A;  0;  <P;  F  b  v  :  V[f][f](?)  A  0 
'P;  A;0;<P;F  b  Vi  :  <Ji[p/f]  pi  €  A 

vP;A;0;<&;Fb«[f][p](v) 

<P;  A;  0;  <P;  F  b  op  :  a  'P;  A;  0;  <P;  T,  x :  a  b  e 
tP;  A;  0;  <P;  T  b  let  x  =  op  in  e 

'P;  A;  0;  <J>;  T  b  v  :  3t'  :k. a  \P;A;0,t:/c;$;r,x  :<r[t/t'\  b  e 
\P;  A;  0;  <P;  T  b  open  v  as  (t,  x )  in  e 

VP;  A;  0;  <P;  T  b  v  :  3a':A'.<7  <P;  A;  0;  $,  a :  A';  V,  x :  a[a/a'\  b  e 
vP;  A;  0;  <P;  T  b  open  v  as  (a,  x)  in  e 

>P;  A;0;<P;r  b  ei  >P;  A;  0;  <P;  T  b  e2  pG  A 
>P;  A;0;  <P;  Y  b  ifgc  p  ei  e2 

>P;  A,  r;  0;  <P;  r  b  e  <P;  A;  0;  T  b  v  :  int 

<P;  A;  0;  $;  r  b  let  region  r  in  e  'P;  A;  0;  r  b  halt  v 

^|A';A',cd;0;$|A';r|A'  b  e  A' c  A 
'P;  A;  0;  $;  r  b  only  A'  in  e 

_ *P;  A;  0;  <P;  r  b  ej _ 

VP;  A;  0;  r  b  typecase  Int  of  (ej;  e\;tit2.ex;te.e3) 

>P;  A;  0;  <P;  T  b  eA 

vP;  A;  0;  <P;  r  b  typecase  f  — ►  0  of  (ej;  e\;  tit2.ex ;  te-es) 

VP;  A;  0;  $;  r  b  ex  [n,  r2/ti, fo] 

$;A;0;$;Tb  typecase  (n  x  r2)  of  (ej;eA;fit2-ex;4-e3) 

_ >P;  A;  0;P;r  b  e3[At.r /te\ _ 

VP;  A;  0;  $;  r  b  typecase  3t.r  of  (ey,e\;  fifa.ex ;  fe.e3) 

0  b  t  :  ft 

vP;  A;  0;  3>;  r [int/ 1]  be»[int/i] 

VP;  A;  0;  $;  T  b  eA 

<P;  A;  0,  :  ft,  f2  <P;  F[ti  X  tz/t]  h  ex[ti  X  t2/t\ 

A;  0,  te  ■  ft  — >  f2;  <3>;  T[3t.tet/t]  b  e3[3t.tef/f] 

'P;  A;  0;P;Tb  typecase  t  of  (ej;eA;fii2.ex;£e.e3) 


fP;  A;  0;  r  b  (a :  A'  =  cri,  v : (72)  :  3a:  A'. 02 

>P;  A;0;$;T  b  v  :  o  p  G  A 
VP;  A;  0;  $;  T  b  put[p]v  :  a  at  p 

Figure  6:  Static  semantics  of  Xac- 
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( A  h  T  F¥) 


{vi,  ■  •  • ,  v„}  I-  T i 
h  {v\  :Ti, . . .  ,i/n  : Tn} 


A;  ■  I-  cri _ 

Ah  {£l  :<Jl,  .  .  .  ,£n'CTn} 

TCC|  =  {£1  :V[fI][rl](wi  :al)  — >  0 , . . .  ,ln\M[fn] [rjj] ( vn  ■  o h )  — >  0} 
( T>  h  R  :  T  KMjj[) 

Tf;  Dom(T');  •;  •;  ■  h  Vi  :  m 
T>  I-  (Tl  Ul,  -  -  -  ,£„  Vn}  :  {G  :cti,  •  •  •  ,£n  :crn} 

h  {i/i:Ti,...,i/n:Tn}  Or  :Ti, . . . ,  vn  :Tn}  f-  :  T; 
h  {^i  i-»  7?i,  .  .  .  ,  vn  Rn}  :  {^l  :Ti, .  .  .  ,  isn  :T„} 

Figure  7:  Environment  formation  rules. 

malizing. 

Proof  Since  the  tag  language  is  a  simply  typed  lambda  calcu¬ 
lus,  reduction  of  well  formed  tags  is  strongly  normalizing  and  con¬ 
fluent.  The  termination  of  Mp(r)  follows  from  a  straightforward 
induction  on  the  size  of  the  tag  r.  □ 

Proposition  6.2  Reduction  of  well  formed  types  is  confluent. 

Proof  Since  the  reduction  of  well  formed  types  is  strongly  nor¬ 
malizing,  confluence  of  the  reduction  follows  from  local  conflu¬ 
ence.  This  follows  easily  from  a  case  analysis  of  the  reduction  of 
the  Mp(r)  tag.  □ 

6.5.2  Soundness 

Definition  6.3  The  machine  state  ( M ,  e)  is  well  formed  iff 

hM:$  >F;  Dom(T');  •;  •;  ■  h  e 
?  (M,e) 

Contrary  to  the  other  environments,  T/  is  not  explicitly  constructed 
in  any  of  the  static  rules,  since  it  reflects  dynamic  information.  In¬ 
stead,  the  soundness  proof,  or  more  specifically  the  type  preserva¬ 
tion  proof,  needs  to  construct  some  witness  T/'  for  the  new  state 
( M' .  e')  based  on  the  T/  of  the  initial  state  (A/,  e). 

Proposition  6.4  (Type  Preservation)  If  h  (A/,  e)  and 
(AT,  e)  =F  (AT',  e')  then  b  (AT',  e'). 

Proof  See  the  appendix  A. 

Proposition  6.5  (Progress)  Ifh  (AT,  e)  then  either  e  =  halt  v  or 
there  exists  a  ( M e ')  such  that  (AT,  e)  =£•  (AT',  e!). 

Proof  See  the  appendix  A. 

7.  Forwarding  pointers 

The  base  algorithm  presented  before  is  unrealistic  in  a  number  of 
ways.  The  first  is  the  fact  that  the  copy  function  does  not  preserve 
sharing  and  thus  turns  any  DAG  into  a  tree. 

We  hence  need  to  add  some  form  of  forwarding  pointers.  Wang 
and  Appel  suggest  to  pair  up  every  object  with  its  forwarding  pointer, 


Tq  A;0;<f»;r  h  v  :  a  4>;  A;  6;  <f>;  T  h  e 


$;A;0;$;TI-v  :  left  a  T1;  A;  0;  <f>;  T  h  v  :  right  a 
T';  A;  0;  T  h  Strip  v  \  o  A;  0;  T>;  T  h  Strip  v  :  o 

A;  0;  $;  T  h  v  :  cr  >3/;  A;  0;  <E>;  T  h  v  :  o 

T1;  A;  0;  <f>;  T  h  ini  v  :  left  a  To  A;  0;  <f>;  T  h  inr  v  :  right  a 

A;  0;  <E>;  T  h  v  :  cri  T»;  A;  0;  T>;  T  h  v  :  <T2 
T1;  A;  0;  T>;  T  h  v  :  cti  -)-  <72  Tt;  A;  0;  T>;  T  h  v  :  cti  +  <72 

To  A;  0;  T>;  T  h  v  :  o1  +  <72 
To  A;  0;  <f>;  T,  a;:<7i  h  ei  >3/;  A;  0;  T>;  T,  x  :<72  h  er 

T';  A;  0;  T>;  T  h  ifleft  x  =  v  ei  er 
Tf;  A;  0;  T>;  T  h  e 

>T;  A;0;  T>;T  h  ui  :  <J  at  p  To  A;  0;  T>;  T  h  v2  :  <7 
T';  A;  0;  T>;  T  h  set  Vi  :=  v2  ;  e 

A;  0;  T-;  T  h  v  :  Mp(r) 
T'|cd:Cd,p,p';0;$|pp';*:CPiP/(r)  h  e 
>T;  A;  0;  T>;  T  h  let  x  =  widen [p'][r](v)  in  e 


Figure  8:  Static  semantics  for  XGCforw 

incurring  a  significant  memory  cost.1  We  want  instead  to  represent 
objects  as  a  sum  (cr  +  fwd  <7),  which  requires  a  single  bit  per  object 
and  corresponds  much  more  closely  to  traditional  implementations. 
To  this  end,  A GCforw  extends  A gc  with  new  types  and  terms  for 
tag  bits  and  sum  types  as  well  as  memory  assignment.  We  do  not 
need  a  new  fwd  or  ref  type  since  we  can  use  the  region  calculus’ 
references  for  that  purpose. 

Another  requirement  for  a  realistic  GC  is  that  the  mutator  should 
not  need  to  constantly  check  for  the  presence  of  forwarding  pointers 
since  such  a  read-barrier  would  only  be  justified  for  an  incremental 
GC.  In  other  words,  the  type  as  seen  by  the  mutator  should  not  be 
a  sum,  although  it  should  still  contain  the  single-bit  tag  that  the 
GC  will  use  to  distinguish  between  forwarding  pointers.  Also  there 
should  be  a  way  to  switch  from  the  mutator’s  view  of  the  type  of 
an  object  to  the  one  of  the  collector.  So  we  also  need  to  add  a  form 
of  cast  that  we  call  widen  which  we  will  use  at  the  beginning  of  a 
collection  to  give  the  collector  access  to  the  forwarding  pointers: 


a  ::=  . 

.  left  a  right  0  left  cy  +  right  cr2  C 

v  ::=  . 

.  ini  v  \  inr  v 

op  . 

.  strip  v 

e  ::=  . . 

.  \  ifleft  x  =  v  ei  er  \  set  vi  V2  ;  e 

j  let  x  =  widen [p][r](v)  in  e 


ini  and  inr  (and  their  type-level  counterparts  left  and  right)  can 
be  thought  of  as  adding  a  single  tag  bit  to  an  object  while  Strip 
gets  back  the  untagged  object  and  ifleft  checks  the  tag  bit.  The 
idea  is  to  represent  objects  as  (left  <7)  to  the  mutator  (without  the 
(right  <7)  alternative  to  avoid  the  need  for  checks)  and  cast  them 
with  the  widen  operator  to  (left  0  +  right(<7  at  to))  when  entering 

1  This  additional  word  is  not  unheard  of,  since  replicating  garbage 
collectors  [14,  1]  incur  a  similar  overhead,  justified  by  the  desire 
to  provide  concurrent  collection  while  avoiding  the  cost  of  a  read- 
barrier. 
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the  garbage  collector  (here  “to”  denotes  the  region  variable  for  the 
to  space). 

Since  a  single  source-level  type  now  maps  to  two  different  possi¬ 
ble  types,  we  need  two  type  operators:  Mp(t)  to  map  source  types 
to  the  mutator’s  view  of  the  data  and  CPiP'  (r)  to  map  source  types 
to  the  collector’s  view  (which  adds  forwarding  pointers).  Mp(r)  is 
the  same  as  before  for  base  types  and  for  code  types,  but  is  changed 
for  existentials  and  pairs  by  adding  the  left  constructor  that  con¬ 
strains  the  mutator  to  provide  the  tag  bit  needed  to  distinguish  the 
forwarded  pointer  from  the  non-forwarded  data. 

Mp(lnt) 

Mp(t  — ►  0) 

Mp(3f.r) 

Mp(n  x  r2) 

CP,P'(lnt) 

CPlP'(r  -+  0) 

CPjP'(3f.r) 

CPjP/(ti  x  r2) 

It  is  worth  noting  again  here  how  the  M  type  operators  cleanly 
encapsulate  the  invariants  imposed  on  the  mutator  by  the  collector. 
In  this  case,  it  forces  the  mutator  to  provide  the  collector  with  free 
bit  that  the  collector  can  then  use  to  distinguish  forwarding  pointers 
from  non-forwarded  data.  And  we  also  see  how  the  same  mecha¬ 
nism  can  be  used  to  express  the  difference  between  the  restricted 
view  offered  to  the  mutator  and  the  full  blown  access  to  internal 
data  that  the  collector  needs. 

The  operational  semantics  of  the  new  operations  is  straightfor¬ 
ward,  especially  since  we  can  implement  the  assignment  operator 
by  reusing  the  indirection  through  the  memory: 


•  int 

■  V[]  [r](M,.(r))  — >  0  at  cd 

■  (left(3f.Mp(r)))  at  p 

■  (left(Mp(n)  x  Mp(t2)))  atp 

•  int 

■  Mp(t  — >  0) 

■  (left(3£.Cp,p'  (t))  +  right(Mp/(3f.r)))  at  p 

.  left(Cp,p/(n)  x  CPiP/(r2)), 
+right(Mp/(n  x  r2))  p 


(A/,  let  x  =  strip  (ini  v)  in  e) 
(AT,  let  x  =  strip  (inr  v)  in  e) 

(AT,  ifleft  x  =  (ini  v)  ei  er) 

(AT,  ifleft  x  =  (inr  v)  e;  er) 

(AT,  set  v.i  :=  v  ;  e) 

(AT,  let  x  =  widen [p][r](v)  in  e) 


(M,e[v/x]) 

(M,e[v/x\) 

(A/,  e; [ini  v/x\) 
(AT,  ei  [inr  v/x\) 

( M{v.l  i — *  v},e ) 
(M,e[v/x\) 


The  translation  from  A clos  to  this  XGCforw  is  not  shown  since 
it  is  basically  the  same  as  before  except  for  the  insertion  of  all  the  ini 
and  Strip.  The  garbage  collector  can  be  seen  in  figure  9.  Compared 
to  the  original  algorithm,  the  only  difference  in  the  gc  function  it¬ 
self  is  the  widening  of  the  heap  from  Mri  to  Cri,r2  and  the  fact 
that  we  have  to  bundle  the  /  and  x  arguments  into  a  pair  in  order  to 
pass  it  through  the  widen  operator  and  unbundle  it  afterwards.  The 
copy  function  also  needed  to  be  changed  of  course:  when  copying 
a  heap  object  such  as  a  pair,  it  now  has  to  check  with  ifleft  whether 
the  object  was  forwarded,  if  so  it  just  returns  the  forwarded  object, 
otherwise  it  does  the  copy  as  before  and  has  to  overwrite  (using  set) 
the  original  object  with  the  forwarding  pointer  before  returning  the 
copied  object. 


7.1  How  to  widen  safely 

The  only  non-trivial  extension  is  widen  which  allows  the  garbage 
collector  to  have  a  different  view  of  the  existing  memory,  provided 
the  two  views  are  somehow  compatible.  It  seems  difficult  to  solve 
the  problem  of  allowing  two  views  on  the  same  data  without  such 
a  form  of  cast.  At  first,  it  seems  we  are  just  applying  a  form  of  sub¬ 
typing,  but  this  form  of  subtyping  is  vety  powerful  since  it  allows 


fix  gc[t :  ft]  [n]  (/ :  Mri  (A (t)),x:  Mri  (t)). 

let  region  r2  in 

let  w  =  widen [r2][(A(t)  x  t)](put[n](inl  (/,*)))  in 

ifleft  w  =  get  w  then 
let  w  =  strip  w  in 

let  y  =  copy[t][r\,  r2](7r2w)  in 
only  {r2}  in  (7rm>)[][r2](y) 

else 
halt  0 

fix  copy[t:Q\  [ri,  r2](x :  Cri,P2  (t))  :  Mr2(t). 

typecase  t  of 
int  =a  x 

A  =>  x 

ti  x  t2  =>  let  y  =s  get  x  in 

ifleft  y  =  y  then 

letxi  =  copy[ti\ [n,r2](7n (strip  y))  in 
let  at2  =  copy\t2]  [ri,  r2](7r2 (strip  y))  in 
let  a:  =  put[r2](inl  (xi,x2))  in 

set  x  :=  inr  z  ;  a 
else 
strip  y 

3 te  =a  let  y  =  get  x  in 
ifleft  y  =  y  then 

open  (strip  y)  as  (t,y)  in 
let  y  =  copy[tet][n,r2]{y)  in 
letz  =  put[r2](inl  (t  =  t,y:Mr2(tet)))  in 
set  x  :=  inr  z  ;  z 
else 
strip  y 

Figure  9:  GC  with  forwarding  pointers. 


covariant  subtyping  of  references.  This  means  that  aliasing  issues 
have  to  be  handled  with  extreme  care. 

When  faced  with  the  same  problem,  Wang  and  Appel  came  up 
independently  with  a  similar  idea.  But  their  suggested  cast  leaves 
many  questions  open  and  might  need  more  work  to  be  made  type- 
safe.  Also  its  operational  semantics  actually  does  a  complete  copy 
of  the  heap  from  one  region  to  the  other.  This  might  make  it  easier 
to  prove  soundness  but  makes  it  unclear  whether  it  can  really  be 
implemented  as  a  nop.  In  contrast,  the  operational  semantics  of 
widen  is  a  nop  and  we  have  a  proof  of  its  soundness. 

In  order  to  handle  the  problem  of  aliasing  mentioned  above,  it 
might  be  possible  to  rely  on  some  form  of  linear  typing  or  alias 
types  [20],  but  given  the  inherent  generality  of  a  garbage  collector, 
it  seems  difficult.  Our  approach  is  to  rely  on  the  consistent  ap¬ 
plication  of  the  same  cast  over  the  whole  heap,  so  that  aliases  are 
guaranteed  to  be  cast  in  the  same  way. 

Rather  than  an  ad-hoc  widen  we  could  provide  a  more  general 
cast  that  can  consistently  apply  iteratively  some  type  transforma¬ 
tions  (as  long  as  it  obeys  the  notion  of  subtyping  extended  with 
covariant  subtyping  of  references)  to  any  particular  set  of  regions, 
but  the  complexity  of  such  an  operator  is  out  of  the  scope  of  this 
paper. 

In  Figure  8,  the  typing  rule  for  widen  shows  that  the  expression 
e  is  typed  in  an  environment  that  only  contains  x.  In  essence  x  rep¬ 
resents  the  entire  heap.  Further,  x  is  obtained  front  the  value  v  that 
has  type  Mp(r).  Looking  at  the  definition  of  M,  we  can  see  that 
all  values  reachable  from  v  will  have  a  type  of  the  form  Mp(r/). 
Since  both  M  and  C  are  iterators,  we  can  now  define  a  casting  op¬ 
eration  from  one  type  to  the  other  as  an  iterator.  This  iterator  will 
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traverse  the  entire  heap  and  systematically  convert  from  one  type  to 
the  other;  this  systematic  conversion  is  necessary  to  avoid  ending 
up  with  a  value  that  has  a  particular  type  along  one  path,  but  has  a 
different  type  along  another  path. 

The  proof  of  soundness  of  widen  is  rather  intricate.  It  starts  by 
ignoring  all  the  dead  objects  from  the  heap,  so  that  only  objects  of 
type  Mp(r)  are  left,  which  get  cast  to  CPiP/(t).  For  that  reason, 
we  needed  to  loosen  our  notion  of  a  well  formed  machine  state  to 
allow  restricting  the  considered  memory  M  to  just  a  well-typed 
sufficient  subset  AT,  where  “sufficient”  means  that  no  object  out¬ 
side  of  M  is  needed  to  complete  execution.  This  safely  permits 
ill-typed  garbage. 

Definition  7.1  The  machine  state  ( M ,  e)  is  well  formed  iff 

ffcM  hM:$  Dom(f);  •;  •;  ■  h  e 
H  (M,e) 

Proposition  7.2  (Type  Preservation)  If  b  (A/,  e)  and 
(AT,  e)  =f>  (AT',  e')  then  b  (AT',  e'). 

Proof  See  the  appendix  C. 

Proposition  7.3  (Progress)  Ifh  (AT,  e)  then  either  e  =  halt  v  or 
there  exists  a  ( M' ,  e')  such  that  (AT,  e)  ==£•  (AT',  e'). 

Proof  See  the  appendix  C. 

8.  Generational  collection 

Another  important  aspect  of  a  modern  GC  is  the  support  for  gen¬ 
erational  garbage  collection.  If  we  first  restrict  ourselves  to  a  side- 
effect  free  language,  then  we  can  collect  a  single  generation  at  a 
time  so  long  as  we  can  express  the  fact  that  an  object  in  the  old 
generation  cannot  point  to  an  object  in  the  young  generation. 

To  that  end  we  need  to  extend  A gc  with  existential  quantification 
over  regions,  so  that  the  mutator  does  not  need  to  care  whether  an 
object  is  allocated  in  the  young  or  the  old  region.  We  also  need 
to  add  some  way  to  check  in  which  region  an  object  is  allocated 
so  that  GC  can  detect  when  an  object  is  in  the  old  generation  (and 
hence  does  not  need  copying): 

cr  ::=  ...  j  3rGA.(aatr) 

v  .  \  (r  €  A  =  p,v:  a) 

e  |  open  v  as  (r, x)  in  e  |  ifreg  (pi  =  p2)  e\  e2 

Apart  front  those  new  constructs  (whose  static  semantics  is  pre¬ 
sented  in  figure  10),  the  M  type  operator  also  needs  to  be  modified 
to  reflect  the  new  invariant  imposed  on  the  mutator.  It  is  now  in¬ 
dexed  by  two  regions  (the  old  and  the  new)  and  has  to  enforce  the 
fact  that  objects  in  the  old  region  cannot  have  references  to  the  new 
region: 

MPB,Po(lnt)  =Hnt 

MPb,Po(t  — >  0)  =>  V0[r„,ro](MPl,,ro(T))  — >  0  at  cd 
MP».Po(3t-r)  =A  3re{pa,p0}.((3t.Mr,Po(r))  at  r) 

Mp„,p0(Ti  x  t2)  =>  3re{pH,  p0}.((Mr.Po (n)  x  Mr,Po(r2))  at  r) 

By  using  the  set  {r,  p0}  we  make  sure  that  if  r  is  the  old  genera¬ 
tion,  pointers  underneath  it  cannot  point  back  to  the  new  generation. 
The  operational  semantics  are  again  rather  simple: 

(AT,  open  (r  €  A  =  v,  v.a)  as  (r,x)  in  e)  ==>  (AT,  e[v,  v/r,  a?]) 
(AT,  ifreg  {u  =  v)eie2)  =b  (AT,  ei) 

(AT,  ifreg  (^i  =  v2)  ei  e2)  =f>  (AT,  e2) 


A;e;$l-£T  A;  0;  T  b  v  :  a  T';  A;  0;  T  b  e 


A'  C  A  A,  r;  0;  4?  b  a  0  b  r  :  $2  pi  G  A  p2  G  A 

A;0;<f>  b  3rGA'.(a  at  r )  A;0;$  b  Mp1,P2(t) 


$;A;0;$;rbt)  :  a[p/r\  at  p  p  G  A'  A' C  A 
4/;  A;  0;  <F;  T  b  (r  G  A'  =  p,  v.a)  :  3r  G  A'.(a  at  r) 

I';A;0;$;rbt)  :  3r  G  A'.(a  at  r) 

'3/ ;  A,  r;  0;  T>;  T,  x :  a  at  r  b  e 

T;  A;  0;  <E>;  T  b  open  v  as  (r,  x)  in  e 

'F ;  A  [r,  r/n ,  r2\ ;  0 ;  <I>  [r,  r /n ,  r2] ;  T  [r,  r/r i ,  r2\  b  ei  [r,  r/r\ ,  r2] 
T';  A;  0;  $;  T  b  e2  r  f  A 

'F;  A;  0;  $;  T  b  ifreg  (n  =  r2)  ei  e2 

>]/;  A [v/r\\  0;  <&[v/r\\  T[v/r\  b  ei[v/r\  'T;  A;  0;  T>;  F  b  e2 

T*;  A;  0;  <E>;  T  b  ifreg  (r  =  v)  ei  e2 
iP;  A;  0;  <E>;  T  b  ifreg  (v  =  r)  ei  e2 

_ $;A;9;$;rbe2 _ 

T;  A;  0;  T  b  ifreg  (i>i  =  v2)  ei  e2 

f;A;0;$;rb  ei 

'T;  A;  0;  <F;  T  b  ifreg  {v\  =  vx)  ei  e2 

Figure  10:  Static  semantics  of  A GCgen- 


Although  the  operational  semantics  do  not  take  advantage  of  it 
(in  order  to  simplify  the  soundness  proof),  we  defined  the  existen- 
tials  over  regions  in  such  a  way  that  they  can  be  implemented  as 
nop  since  the  encapsulated  reference  usually  already  encodes  the 
region  in  its  bit-pattern  (or  in  its  v.I). 

The  new  term  translation  is  again  not  shown  since  it  is  so  similar 
to  the  original  one.  The  new  type  constraint  is  trivially  always  sat¬ 
isfied  as  long  as  the  mutator  only  allocates  from  the  younger  gener¬ 
ation  and  as  long  as  the  memory  is  immutable.  If  side-effects  were 
to  be  necessary,  it  should  be  possible  to  extend  this  scheme  with 
one  mutable  region  (keeping  all  others  immutable)  which  would 
be  considered  similarly  to  the  older  generation  but  scanned  at  each 
collection.  Obviously,  this  would  first  require  adding  some  way  to 
scan  a  region,  but  should  not  present  any  serious  difficulty. 

The  GC  itself  can  be  seen  in  figure  1 1 .  The  main  difference  with 
the  basic  GC  of  figure  4  is  that  it  does  not  copy  to  a  new  region 
but  to  an  existing  one  and  stops  traversing  the  tree  as  soon  as  we 
encounter  a  reference  to  the  old  generation. 

When  hitting  such  an  external  reference,  we  have  to  repack  it 
just  to  help  the  type-system  understand  that  this  reference  is  of  type 
MPb,Po  (r).  But  those  operations  are  free  anyway. 

Note  that  another  function  needs  to  be  written  to  garbage  collect 
the  old  generation,  but  that  one  is  the  same  as  the  non-generational 
one. 

At  first  sight,  the  A GCgen  language  may  seem  unsound  because 
we  allow  existentials  over  regions.  However,  these  types  are  not 
existentials  in  a  real  sense  since  they  do  not  hide  a  region  within  a 
type.  Rather,  in  the  type  3 r  G  A.(<r  at  r),  the  set  A  is  an  upper 
bound  on  the  regions  that  the  variable  r  may  range  over.  In  this 
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fix  gc[t :  fi] [ry ,  ra\ (/ :  Mry ,r„  (V[] [] (t) -*  0),i:Mr> ,r„ (t)). 
let  y  =  copy[t][ry,r0\(x)  in 
only  {ra}  in  let  region  ry  in  f[][ry,r0}{y) 

fix  copy[t :  fi]  [ry,  r0\{x :  Mryir.0  (£))  :  Mr„,ro(t). 

typecase  t  of 

int  =4-  x 
A  =4-  x 

ti  x  t2  =4  open  x  as  (r,  x)  in 

ifreg  r  =  rD  then  (r  €  {rD}  =  ra,  x)  else 
let  si  =  copy[ti][ry,  r0](7r1  (get  x))  in 
let  £2  =  copy[t2][r„,r0](7r2(gets))  in 
(r  6  {ra}  =  r0,put[r](si,s2)} 

3te  =4  open  x  as  (r.  x)  in 

ifreg  r  =  rD  then  (r  e  {r0}  =  ra,  x)  else 
open  (get  x)  as  (f,  y)  in 
let  2  =  copy[tet\[rv,ro\{y)  in 
(r  €  {r0}  =  r0,pu\[r]{t  =  t,  z:Mr,r0{tet))) 

Figure  11:  Generational  GC. 

sense,  our  existential  is  closer  to  a  bounded  quantification. 

Proposition  8.1  (Type  Preservation)  If  h  (M,  e)  and 

(M,  e)  =4  (M';  e')  then  h  (M',  e'). 

Proof  See  the  appendix  D. 

Proposition  8.2  (Progress)  If  \~  (M,  e )  then  either  e  =  halt  v  or 
there  exists  a  ( M ' ,  e')  such  that  (M,  e)  =4-  {M' ,  e'). 

Proof  See  the  appendix  D. 

9.  Related  work 

Wang  and  Appel  [21]  proposed  to  build  a  tracing  garbage  col¬ 
lector  on  top  of  a  region-based  calculus,  thus  providing  both  type 
safety  and  completely  automatic  memory  management.  The  main 
weakness  of  their  proposal  is  that  it  relies  on  a  closure  conversion 
algorithm  due  to  Tolmach  [18]  that  represents  closures  as  datatypes. 
This  makes  closures  transparent,  making  it  easier  for  the  copy  func¬ 
tion  to  analyze,  but  it  requires  whole  program  analysis  and  has  ma¬ 
jor  drawbacks  in  the  presence  of  separate  compilation.  We  believe 
it  is  more  natural  to  represent  closures  as  existentials  [10,  9]  and  we 
show  how  to  use  intentional  type  analysis  (on  quantified  types  [19]) 
to  typecheck  the  GC-copy  function. 

The  idea  of  intensional  type  analysis  was  first  proposed  by  Harper 
and  Morrisett  [8],  They  introduced  the  idea  of  having  explicit  type 
analysis  operators  which  inductively  traverse  the  structure  of  types. 
However,  to  retain  decidability  of  type  checking,  they  restrict  the 
analysis  to  a  predicative  subset  of  the  type  language.  Crary  et  al.  [5] 
propose  a  very  powerful  type  analysis  framework.  They  define 
a  rich  kind  calculus  that  includes  sum  kinds  and  inductive  kinds. 
They  also  provide  primitive  recursion  at  the  type  level.  Therefore, 
they  can  define  new  kinds  within  their  calculus  and  directly  en¬ 
code  type  analysis  operators  within  their  language.  They  also  in¬ 
clude  a  novel  refinement  operation  at  the  term  level.  Saha  et  al  [19] 
shows  how  to  handle  polymorphic  functions  that  analyze  the  quan¬ 
tified  type  variable — this  allows  the  type  analysis  to  handle  arbi¬ 
trary  quantified  types.  The  typerec  operators  (e.g.,  Mp)  used  in  this 
paper  do  not  require  the  full  power  of  what  is  provided  in  [19]  be¬ 
cause  our  source  language  is  only  a  simply  typed  lambda  calculus. 

Tofte  and  Talpin  [17]  proposed  to  use  region  calculus  to  type 
check  memory  management  for  higher-order  functional  languages. 


Crary  et  al  [4]  presented  a  low-level  typed  intermediate  language 
that  can  express  explicit  region  allocation  and  deallocation.  Our 
A gc  language  borrows  the  basic  organization  of  memories  and  re¬ 
gions  from  Crary  et  al  [4],  The  main  difference  is  that  we  don’t  re¬ 
quire  explicit  capabilities — region  deallocation  is  handled  through 
the  only  primitive. 

Necula  [13]  proposed  the  idea  of  a  certifying  compiler  and  showed 
the  construction  of  a  certifying  compiler  for  a  type-safe  subset  of 
C.  Morrisett  et  al.  [12]  showed  that  a  fully  type  preserving  com¬ 
piler  generating  type  safe  assembly  code  is  a  practical  basis  for  a 
certifying  compiler.  This  paper  shows  that  low-level  runtime  ser¬ 
vices  such  as  garbage  collection  can  also  be  expressed  in  a  type 
safe  language. 

10.  Conclusion  and  future  work 

We  have  presented  a  type-safe  intermediate  language  with  re¬ 
gions  and  intensional  type  analysis  and  show  how  it  can  be  used 
to  provide  a  simple  and  provably  type-safe  stop-and-copy  tracing 
garbage  collector.  Our  key  idea  is  to  use  intensional  type  analy¬ 
sis  on  quantified  types  (i.e.,  existentials)  to  express  the  garbage- 
collection  invariants  on  the  mutator  data  objects.  We  show  how 
this  same  idea  can  be  used  to  express  more  realistic  scavengers 
with  efficient  forwarding  pointers  and  generations.  Because  in¬ 
tensional  type  analysis  is  also  applicable  to  polymorphic  lambda 
calculus  [19],  we  believe  our  type  safe  collector  can  be  extended  to 
handle  polymorphic  languages  as  well. 

We  intend  to  extend  our  collector  with  the  following  features, 
which  a  modern  garbage  collector  should  be  able  to  provide: 

•  Polymorphism.  Intensional  type  analysis  is  a  powerful  frame¬ 
work.  Adding  support  for  polymorphism  is  straightforward 
but  tedious  because  the  type-system  becomes  a  lot  heavier. 

•  Cyclic  data  structures.  It  might  be  possible  to  extend  the 
current  depth-first  copying  approach  to  properly  handle  cy¬ 
cles,  but  we  are  more  interested  in  a  Cheney-style  breadth- 
first  copy  [2], 

•  Side-effects  and  generations.  A  first  approach  could  be  to  ex¬ 
tend  our  current  generation  scheme  with  a  third  region  con¬ 
taining  all  the  mutable  data.  But  ultimately  we  will  need  to 
use  either  card-marking  or  remembered-sets  [25]. 

•  Explicit  tag  storage.  Since  tags  exist  at  run  time,  we  need  to 
garbage  collect  them  as  well.  The  most  promising  approach 
is  to  reify  them  into  special  terms  as  was  done  by  Crary  et 
al  [6,  5],  This  will  also  allow  us  to  use  a  simpler  closure 
conversion  algorithm  for  polymorphic  code,  eliminating  the 
need  for  translucent  types. 
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Appendix 

A.  Soundness  of  A qc 


Throughout  this  section,  we  assume  unique  variable  names.  Our 
environments  are  sets  with  no  duplicate  occurrences  and  no  order¬ 
ing.  It  is  easy  to  show  by  induction  over  judgments  that  extending 
environments  with  additional  bindings  is  safe.  We  will  assume  this 
in  the  rest  of  the  section. 

The  code  region  cd  is  always  implicitly  part  of  the  environment. 
We  treat  it  as  a  constant  region.  Even  when  the  environment  is 
restricted  to  a  particular  set,  say  d/jA,  the  code  region  is  included 
in  the  restricted  set.  Therefore  d?  is  equivalent  to  {cd  : 

Tcd  ,  j  •  •  •  And  ^|cd  is  equivalent  to  {cd  ! 

^cd^- 

Lemma  A.l  If  A',  r;  0;  d?  E  a,  then  A  [v/r\\  0;  <S[v/r\  h  a  [v /r\ 
where  A',  r  =  A. 

Proof  The  proof  is  a  straightforward  induction  over  the  structure 
of  a.  □ 

Lemma  A.2  {${v/r])\/x  v  =  (<E>|zx  r)[v/r ]  and 
(r[«//r])|A,„  =  (r\A,r)[v/r] 

Proof  The  lemma  is  proved  by  considering  the  structure  of  $ 
and  T  respectively,  and  comparing  the  results  in  the  two  cases.  □ 

Lemma  A.3  If 'S',  A',  r;  0;  d>;  T  E  op  :  a,  then 
d/;  A[t//r];  0;  <&[v/r\\ T[v/r\  E  op[v/r\  :  o[v/r\ 
where  A',  r  =  A. 

Proof  The  proof  is  by  induction  over  the  structure  of  op.  Most  of 
the  cases  follow  directly  by  induction.  We  will  show  only  the  case 
for  type  packages. 

case  (a :  Ai  =  o i,v:  of)'.  We  know  that 

d/;A,,r;0;d?;TE  (a:  Ai  =<ri,  v:  172)  :  3  a :  A1.02 

This  implies  that  Ai;  0;  d?|Ai  E  oi  and 

d>;  A',  r;  0;  d?;  T  E  v  :  <T2[c7i/a] 

Suppose  r  £  Ai.  Then  r  does  not  occur  free  in  oi.  Then  applying 
the  inductive  hypothesis  to  the  derivation  for  v,  we  get  that 

$;A[i//r|;0;$[i//r];r[i//r]hi)[i//r]  :  (o2[v /r])[o\/ a] 

Supposed>i  =  c&Ia,.  Then  we  have  that  $[t//r] | Ai  =  d?i,d>2 
and  Dom($i)  (T  Dom(fS f)  =  0.  Therefore,  we  have  that 

Ai;  0;  $|a!  ,  d?2  E  <ti 

This  implies  that  Ai;  0;  d>  [;//r  ]  |  a  ,  E  a i,  which  leads  to  the  re¬ 
quired  result. 

Consider  now  that  r  £  Ai.  Suppose  Ai  =  A2,  r.  Then 
A2,  r;  0;  <f>|A2,r  E  oi 
Applying  lemmas  A.  1  and  A.2  we  get  that 

Ai [z//r];  0;  (d>[t//r])|A2j!,  E  oi[v/r } 

But  A2,  v  —  Ai  [ o/r\ .  The  second  subderivation  now  becomes 
d>;  A',  r;  0;  d?;  T  E  v  :  <72[<7i/a] 

By  applying  the  inductive  hypothesis  we  get  that 
d>;  A[t2/r];  0;  $[^/r];  T[v/r]  h  v[v/r\  :  (a2[^/r])[ai[^/r]/a] 
This  leads  to  the  required  result.  □ 

Lemma  A.4  If 'S',  A',  r;  0;  <f>;  T  E  e,  then 

d/;  A [v/r\,  0;  <S[v/r\,  T[v/r\  E  e[v/r\  where  A',  r  =  A 
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Proof  The  proof  is  by  induction  over  the  derivation  of  e.  Most 
of  the  cases  follow  directly  from  the  inductive  hypothesis.  We  will 
consider  only  one  case  here, 
case  only  Ai  in  e:  We  get  that 

A,  r;  0;  $;  T  b  only  Ai  in  e 

This  implies  that 

Ai,cd;  0;  $|a!;  T|Ai  t  e 

and  Ai  C  A,  r.  Suppose  r  (/  Ai.  Then  r  does  not  occur  free  in  e. 
Also  A\[v/r\  =  Ai.  Suppose  T|Al  =  Ti.  Then  we  have  that 
r[^/r]|Ai  =  Ti,r2  and  Dom( Ti)  (T  Dom(Tf)  =  0.  Since  we 
can  extend  environments,  we  get  that 

\l/|Al ;  Ai,  cd;  0;  T>i,  $2;  Ti,  r2  b  e,  where  <f>i  and  <f>2  are  con¬ 
structed  similar  to  IT  and  T 2 .  This  implies  that 

'T|Al;  Ai,cd;0;$i,<f>2;Ti,r2  b  e 

Also  Ai  C  (A,  r)[v/r\.  This  leads  to  the  required  result. 

Suppose  now  that  r  £  Ai.  Suppose  that  Ai  =  A2,r.  Then 
Ai  [v/r\  =  A2 ,  v.  Then  we  have  that 

'T|A2jT.;  A2,  r,  cd;  0;  $|  A2,r;  T|A2>t.  b  e 

Applying  the  inductive  hypothesis  we  get  that 

*|A2,r5  Ai  [v/r\,  cd;  0;  $|A2,r[t//r];  I'  A.,,r:t'/rl  h  e[u/r] 
Applying  lemma  A.2  we  get  that 

^ |  a2 ,r ;  Ai  [v/r\ ,  cd ;  0 ;  $ [v/r]  |  a2 ;  T[v/r\  |  a2 .b  e[v/r\ 

But  we  have  that  'TI  a2,t  =  'T|  a2.  Moreover,  \T| A2j„  =  'T|  a2  ,  '3// - 
Therefore,  we  get  that 

>T|A2,1,;  Ai[i//r],  Cd;  0;  §{v/r]\&2y,  V[v/r}\^2^  b  e[v/r\ 

We  also  have  that  Ai  [v/r\  C  A  [v/r].  This  leads  to  the  required 
result.  □ 

Lemma  A.5  7/0,  f : b  t  :  k  and  0hf  :  k',  then 
0  b  t[t’ /t\  :  K 

Proof  The  proof  is  a  straightforward  induction  over  the  structure 
of  r.  □ 

Lemma  A.6  If  A;  0,  t :  k.;  $  b  <r  and  0  b  t  :  k,  then 
A;  0;  <f>  b  o[r/t] 

Proof  The  proof  is  again  a  straightforward  induction  over  the  struc¬ 
ture  of  a.  □ 

Lemma  A.7  A;  0,  t :  ft;  $;  T  b  op  :  a  and  0  b  t  :  k  then 
'5;  A;  0;  <f>;  T[r/f]  b  op[r/t\  :  o[r/t] 

Proof  The  proof  is  a  straightforward  induction  over  the  structure 
of  op.  The  only  unusual  case  is  when  op  =  v.i.  In  this  case, 

'T( v.I )  =  a  and  Dom (>]/);  •;  ■  b  <7.  Therefore,  the  variable  t  does 
not  occur  free  in  o  at  v.  □ 

Lemma  A.8  A;  0,  t :  k;  $;  T  b  e  and  ■  b  r'  :  k  then 
T/;A;0;T>;r[r7f]  be[r'/f] 

Proof  The  proof  is  a  straightforward  induction  over  the  structure 
of  e.  The  only  interesting  case  is  for  a  typecase  when  the  substi¬ 
tuted  variable  is  being  analyzed. 

case  typecase  t  of  (ey,  e\;tit2-ex ;  fe-eg):  Suppose  we  substitute 
the  type  r'  for  the  variable  t.  Then  t'  can  only  be  one  of  Int,  r"  — > 

0,  Ti  x  r2,  or  3t.r" .  For  a  Int,  we  need  to  prove  that 

T';  A;  0;  <f>;  T[lnt/f]  b  (typecase  t  of  (ej;  eA;  tit2.ex ;  ^e.e3)) [Int/t] 
This  implies  that  we  need  to  prove  that 


'T;  A;  0;  T-;  T[lnt/f]  b  e^lnt/t] 

By  definition,  we  know  that 

T;  A;0,f:O;$;r[lnt/f]  b  e^lnt /t\ 

Since  t  is  being  substituted  away,  this  leads  to  the  required  result. 
For  a  code  type  we  need  to  prove  that 

'f;  A;  0;  $;  T[r'  -♦  0/f]  b 
(typecase  t  of  (ey,  ey,tit2.ex;te.e3))[T  ->  0/f] 

This  implies  that  we  need  to  prove  that 

A;  0;  $;  r[r'  ^  0/f]  b  eA[r'  -»  0/f] 

By  definition,  we  get  that  >3/;  A;  0,  f  :  Q;  <E>;  T  b  e\.  Substituting 
for  f  and  applying  the  inductive  hypothesis  leads  to  the  result. 

For  the  pair  type  we  need  to  prove  that 

’J';  A;  0;  T>;  T[(ti  x  r2)/f]  b 
(typecase  f  of  (ej;eA;fif2.ex;fe.e3))[(r{  x  r2)/f] 

This  implies  that  we  need  to  prove  that 

'T;  A;  0;  <f>;  T[(r{  x  r2)/f]  b  ex[(7  x  r2),  r2/f,  f  1 ,  f2] 

By  definition,  we  know  that 

'T;  A;  0,  f  fi  :fl,  f2  : 12;  $;  T[fi  x  f2/f]  b  ex  [fi  x  f2/f] 

Note  that  the  variables  fi  and  f2  do  not  occur  free  separately  in  T. 
Substituting  r[  for  fi,  r2  for  f2,  and  t[  x  t2  for  fi  x  f2  leads  to 
the  required  result. 

For  the  existential  type  we  need  to  prove  that 

Tb  A;0;$;r[3fi.r7f]  b 
(typecase  f  of  (ej;eA;fif2.ex;fe-e3))[3fi.r7i] 

This  implies  that  we  need  to  prove  that 

<7  A;  0;  $;  r[3f1.r7fj  b  egpfi.r',  Xh.r' /t,te\ 

By  definition  we  know  that 

'T;  A;  0,  f  :Q,  te  :  12  — >  12;  T>;  F[3fi.fefi/f]  b  eg[3fi.fefi/f] 

Substituting  (Afi.r7)  for  fe  and  applying  the  inductive  hypothesis 
we  get  that 

'T;  A;0,f:I2;$;r[3fi.r7f]  b  e3  [3fi.r',  Xh.r'/t,  te\ 

Since  f  is  being  substituted  away,  we  can  remove  it  from  the  type 
environment.  This  leads  to  the  required  result.  □ 

Lemma  A.9  If  A;  0;  T>,  a :  A'  b  o  and  A';  0;  $  b  o',  then 
A;  0;  <1?  b  o[o' / a] 

Proof  The  proof  is  a  straightforward  induction  over  the  structure 
of  0.  In  the  case  of  c‘ode  types,  we  use  the  fact  that  the  argument 
types  o  are  fully  closed.  □ 

Lemma  A.10  If 'll',  A;  0;  <f> ,  a :  A';  T  b  op  :  o  and  A';  0;  b  <r' 
then 

T1;  A;  0;  <f>;  r[<r7a]  f"  op[o’ / a\  :  o[o' /a] 

Proof  The  proof  is  again  by  induction  over  the  typing  derivation 
for  op.  We  will  consider  only  the  case  for  packages, 
case  {(3 :  A'  =<ri,  v :  of)'.  By  definition, 

Tb  A;  0;  <f>,  a:  Ai;  T  b  (/?:  A'^ai,  v:  of)  :  3f3:A'.o2 
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There  are  two  possible  cases.  If  Ai  C  A',  then  we  get  that 
A';  0;  $|A',  or.  Ai  b  o\  and 
$;A;0;$,a:Ai;rh«:  o2[o1//3] 

By  lemma  A.9, 

A';  0;  $|A/  h  o\  [o'  /  a] 

Applying  the  inductive  hypothesis  on  the  typing  rule  for  v  leads  to 
the  result. 

In  the  other  case,  we  get  that  A';  0;  <I>|  A'  b  o\  and 
$;A;0;$,a:Ai;rht)  :  a2[ai//3] 

This  implies  that  a  does  not  occur  free  in  o\ .  Therefore,  we  need 
to  prove  that 

>P;  A;  0;  $;  r[a'/a]  b 

{/3:A'  =  o\,v[o'/a\:o2[o'/ot\)  :  3/3:  A'.cr2[cr'/a] 

This  follows  from  applying  the  inductive  hypothesis  to  the  judg¬ 
ment  for  v.  □ 

LemmaA.il  If  A;  0;  <I>  b  cr[  o'  /  o\  and  a  occurs  free  in  a,  then 
A;  0;  <f>  b  o' 

Proof  The  proof  is  by  induction  over  the  structure  of  a.  □ 
Lemma  A.12  If 'it  ;  A;  0;  <P,  a :  A';  The  and  A';  0;  $  b  o'  then 
\P;  A;  0;  <f>;  Y[o' /a]  b  e[cr' /a] 

Proof  The  proof  is  again  by  induction  over  the  derivation.  The 
only  non-trivial  case  is  the  only  construct, 
case  only  Ai  in  e:  By  definition, 

A;  0;  4>,a:A';Tb  only  Ai  in  e 
and  A';  0;  <P  b  o' .  Suppose  A'  C  Ai.  Then  we  get  that 

vE'|Ai;  Ai,cd;0;$|Al,a:  A';r|Al  be 

Applying  the  inductive  hypothesis  we  get  that 

Al ;  Ar,  Cd;  0;  <P| Al ;  T| Al  [a' /a]  b  e[o'/a] 

But  we  also  have  that  Y\/s1[o’  /  a\  =  r[<r7Q]lAi-  From  here  we 
can  conclude  that 

vp;  A;  0;  <P;  T[a' / a]  b  only  Ai  in  e[cr7Q] 

If  Ai  C  A',  then  we  get  that 

®|Al;  Ai,cd;0;$|Al;r|Al  b  e 

This  implies  that  a  does  not  occur  free  in  e.  We  also  have  that 
A';  0;  <P  b  o' .  Using  lemma  A.  1 1,  we  can  show  that  Tjcr'/o]!  ax  = 
r|Al.  Therefore,  we  get  that 

<E'|a1;  Ai,cd;0;$|Al;r[cr7a]|Al  b  e 

This  implies  that 

>P;  A;  0;  <P;  Y[o'  /  a]  b  only  Ai  in  e 

□ 

Lemma  A.13  b  op  :  a  and 

\P;  A;  0;  <1?;  Y  b  v'  :  o'  then 
\I/;  A;  0;  <P;  T  b  op[v ' /x\  :  o 

Proof  The  proof  is  a  straightforward  induction  over  the  typing 
derivation  for  op.  □ 

Lemma  A.14  If 'll;  A;  0;  <f>;  Y  b  v  :  a  and  Ai;  0;  $|Al;  b  o  and 
Ai  C  A,  then  ^P|Ai ;  Ai;  0;  $|Al ;  T|Al  b  v  :  o 


Proof  The  proof  is  by  induction  over  the  derivation  for  v.  Most 
of  the  cases  follow  directly  from  the  inductive  hypothesis.  We  will 
consider  only  one  case  here, 
case  vl:  We  have  that 

\P;  A;  0;  <P;  T  b  v.l  :  o  at  v.  This  implies  that  =  a  and 

Dom/'Y);  b  <r  at  v.  However,  by  assumption  we  also  know 
that  Ai;  0;  <3>|Al  b  a  at  v.  This  implies  that  v  €  Ai.  This  implies 
that  \1/ 1 Al  ( v.l )  =  o.  Moreover,  we  also  get  that  Ai;  •;  ■  b  o  at  v. 
Therefore,  we  get  that  Dom('I'j Al );  •  b  o  at  v.  From  here  we 

get  that  |  Al ;  Ai;  0;  <I>|Al ;  T|Al  b  v.i  :  o  at  v.  □ 

Lemma  A.15  If  >]/;  A;  0;  <f>;  T,  x:o  b  e  and 
$;A;0;$;rbt)  :  o  then 
$;A;0;$;Tb  e[v/x\ 

Proof  The  proof  is  again  a  straightforward  induction  over  the 

structure  of  e.  We  will  only  show  the  proof  for  a  couple  of  cases, 

the  rest  of  them  follow  similarly. 

case  only  A  in  e:  We  have  that 

$;A;0;$;r,i:crb  Only  Ai  in  e.  This  implies  that 

^|Al;  Ai;0;$|At|  (T,  *:cr)|Al  b  e.  If  we  have  that 

Ai;  0;  "FIa-l  b  cr,  then  we  get  that 

'3/|Ai;Ai;0;<f>|Ai;r|Ai,a;:cr  b  e.  By  lemma  A.14  we  get  that 
'FI  Al ;  Ai;  0;  $|  Al ;  r|  Aj  bo  :  a.  Applying  the  inductive  hypoth¬ 
esis  gives  us  that 

'F|a1;  Ai;0;<F|Al;r|Al  b  e[v/x\. 

In  the  other  case,  we  get  that 

\F|ai  ;  Ai;  0;  'FIai  ;  r|Al  b  e.  This  implies  that  x  does  not  occur 
free  in  e.  The  required  result  follows  front  here, 
case  typecase  t  of  (ej;  ey,  fif2.ex ;  fe-eg):  By  assumption,  we  get 
that  0  b  t  :  U 

Tb  A;  0;  <f>;  r[lnt/£],  a; : cr[lnt/f]  b  e;[lnt/t] 
'F;A;0;<I>;r,x:(7  b  e\ 

\F;  A;  0,  ti  :Yl,  f2  <F;  F[£i  x  f2/f],  x :  o[t\  x  f2/f]  b 
ex  [U  x  t2/t\ 

T1;  A;  0,  fe :  H  — +  Yl;  <F;  Y[3ti.teti/t\,  x :  o[3ti.teti/t]  b 
eg[3fi.fefi/f] 

By  lemma  A. 7,  we  know  that  if  fF;  A;  0;  <f>;  T  b  v  :  o,  then 
Tb  A;  0;  $;  T[r/f]  bu  :  <j[r/f].  Now  substitute  v[lnt/f]  in  the 
d  branch,  substitute  v  in  the  e\  branch,  substitute  v[ti  x  f2/f] 
in  the  ex  branch,  and  substitute  v[3ti.teti/t\  in  the  eg  branch. 
The  required  result  follows  from  the  inductive  hypothesis  on  each 
branch.  □ 

Proposition  A.16  (Type  Preservation)  If  b  ( M ,  e)  and 

(M,  e)  =>  (Mr,  e')  then  b  (M',  e'). 

Proof  The  proof  is  by  induction  over  the  evaluation  relation.  We 
will  consider  only  the  cases  that  do  not  follow  directly  from  the 
inductive  hypothesis  and  the  substitution  lemmas, 
case  ^T[r][i7](u):  The  lemma  follows  from  the  fact  that  tag  reduc¬ 
tion  is  strongly  normalizing  and  confluent,  and  that  tag  reduction 
preserves  kind. 

case  v.i[f'][v\{v):  By  definition, 

'P;  Dom{'3>);  •  b  u.£[f'][u\(v) 

Since  =  /\\t:  n][f\{x:d).e),  we  have  that 

tp;  -Dom(T');  •;  •;  ■  b  v.l  :  V[f :  k]  [r] (ct)  — >  0  at  v 
This  implies  that 

'P|cd;cd.  f;t:n;-;x:o  b  e 
By  the  typing  rule,  we  get  that 
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4>;  Dom(4>),  r;  •;  •;  •  F  e 


tF;  Dom(^f);  •;  •;  •  F  Vi  :  trip,  r7 /r,  f] 
and  •■hr,'  :  k,  .  From  lemma  A.4  we  get  that 

®lcd;cd)«?;e;-;*:ffP/fI  h  e[F/r] 

Front  lemma  A. 8  we  get  that 

4'|cd;cdA;SSa;:a[F,f'/r,f~j  h  e[v,f  / r,t\ 

Since  t]/ 1 cc|  C  4/  and  cd,  v  C  Dom(i>),  we  can  extend  the  envi¬ 
ronment  for  deriving  e.  Applying  lemma  A.  15  we  get  that 

4»;  Dom('F);  •;  •;  •  F  e[v,  t  ,  v/r,  t,  x\ 

which  leads  to  the  result. 

case  (w[r])[r|[i7](w):  By  dehnition, 

A  Dom(f);  •  F  (tt[rl)[f|[i7](w) 

Front  the  typing  rules 

\P;  Dor?i.('F)i  •;  •;  •  F  (i;[[t])  :  V[[t[]  [r](c?)  A  0  for  some  v  and 
4/;  Dotn('F);  •  F  Vi  :  <Ji[V/r\.  Again  from  the  typing  rules  we 
get  that 

4/;  Dom{\ F);  •;  •;  •  F  v  :  V[f :  k] — >  0  at  v  where 
(Ti[r/f]  =  (Ji  and  •  F  r%  :  Ki.  We  need  to  prove  that 

4>;  Dom(\F);  •;  F  v[t][v\(v) 

This  is  true  if 

\F;  Dom{\ F);  •;  •;  •  F  Vi  :  a[[v,  f/f,  t],  But  we  already  know  that 
this  holds. 

case  let  x  =  put[^]w  in  e:  By  definition, 

VF;  Dom(4/);  ■  F  let  x  =  put[^]t>  in  e 

From  the  typing  rules, 

\F;  Domf' F);  •;  •;  ■  F  put[^]n  :  a  at  v 
for  some  type  a,  and  v  £  Dom(T').  This  implies  that 
'F;  Dom(\F);  •;  •;  •  F  v  :  a 
Again,  from  the  typing  rules, 

\F,  v.l :  a;  Dom(' F);  •  F  u.£  :  a  at  v 

The  required  result  now  follows  from  lemma  A.  15. 
case  let  x  =  get  v.i  in  e:  By  definition, 

\F;  Dom(T');  •;  •;  ■  F  let  x  =  get  v.l  in  e 
Front  the  typing  rules  we  get  that 

VF;  Dom(\ F);  ■  F  u.£  :  a  at  v 

for  some  type  a  Again  from  the  typing  rules,  we  get  that  >F  ( v.£ )  = 
a.  This  implies  that  if  M [y.£)  =  v,  then 

\F;  Dotn(^);  •;  •;  ■  F  v  :  a 

The  required  result  follows  from  lemma  A.  15. 
case  open  (a:A  =  ai,v:<J2)  as  ( a,x )  in  e:  The  two  open  con¬ 
structs  are  proved  similarly.  We  will  show  the  proof  for  only  one  of 
them.  By  definition, 

IF;  Dom('F);  ■  F  open  (a :  A  =  ai,  v :  02}  as  (a,  x)  in  e 

This  implies  that 

>F;  Dom (>F);  •;  a :  A;  x :  02  F  e 

The  required  result  follows  from  lemmas  A.  15  and  A.  12. 
case  let  region  r  in  e:  By  definition, 

vF;  Dom(\ F);  •;  •;  ■  F  let  region  r  in  e 
This  implies  that 


By  lemma  A.4, 

4/;  Dom (4/),  v,  •;  •;  ■  F  e[v/r\ 

Since  v  is  a  newly  introduced  region,  we  can  extend  'F  with  it.  This 
implies  that 

\F,  v  1— >  {};  Dom( 4r),  v,  •;  •;  ■  F  e[v/r\ 

This  is  the  required  result, 
case  only  A  in  e:  By  definition, 

4>;  Dom('F);  ■  F  only  A  in  e 

This  implies  that 

\F|  a;  cd.  A;  ■  F  e 
But  cd,  A  =  Dom{\ F|a).  This  implies  that 

4F|a;  Dom{ 4F|a);  •;  •;  •  F  e 
which  is  the  required  result. 

For  all  of  the  typecases,  the  required  result  follows  directly 
from  the  typing  rules  since  the  value  environment  is  empty. 

Lemma  A.17  (Canonical  forms) 

1.  If  4/;  A;  •;  •;  ■  F  v  :  int  then  v  =  n. 

2.  If  4F  A;  •;  •;  •  F  v  :  a  at  v  then  v  =  v.£. 

3.  If 'it:  A;  •;  •;  •  F  v  :  <7i  x  <72  then  v  =  ( vi,V2 ). 

4.  If  4/;  A;  ■  Ft;  :  3t:n.a  then  v  =  (t  =  r,  v' :  a). 

5.  If  4/ ;  A;  •;  •;  ■  Ft;  :  3a:  A '  .a  then  v  =  (a :  A'  =  <7i,  v' :  of). 

6.  If  it:  A;  •;  •;  •  F  v  :  V|[r]|  [r]  (a)  -A  0  then  v  =  t/Jr]. 

7.  IfH:  A; -  F  v  :  V[f:"k][r](CT)  0 

then  v  =  \[t:n][f\(xTij).e. 

Proof  The  proof  follows  from  the  inspection  of  the  typing  rules 
for  values.  □ 

Proposition  A.18  (Progress)  If  F  ( M ,  e)  then  either  e  =  halt  v 
or  there  exists  a  (A/',  e')  such  that  (M,  e)  =>  ( M ' ,  e'). 

Proof  The  proof  is  again  by  induction  over  the  structure  of  e. 
By  definition,  4/;  Dom(4/);  •;  •;  ■  F  e.  The  proof  for  the  individual 
cases  start  from  this  point, 
case  v[t\ [v](v):  From  the  typing  rules,  either 

v:V[t  :/«][r](<7)  — >  0  at  v  or  v :  V[[F]  [f\ (a)  A  0 

In  the  first  case  by  lemma  A.17,  v  =  v.£.  From  the  typing  rules 
M(v.£)  =  A[f:  /t]  [f\(x?a).e  This  implies  that  we  have  areduction. 

In  the  second  case,  by  lemma  A.17  v  =  t/Jr].  In  this  case  also 
we  have  a  reduction  to  v'[t\  [v\  ( v ). 

case  let  x  =  op  in  e:  If  op  =  v,  then  we  have  a  reduction.  If 
op  =  mv,  then  front  the  typing  rules, 

\F;  Domff F);  •;  •;  •  F  v  :  o\  x  02-  The  required  result  follows  from 
lemma  A.17.  In  the  case  of  put[^]v,  the  result  follows  directly.  The 
constraint  v  £  A  ensures  that  u  £  Domfit).  In  the  case  for  get  v, 
by  the  typing  rules  we  know  that  v  =  v.l  for  some  v.l.  Again 
from  the  typing  rule  we  know  that  4 ’{v.l)  =  a.  This  implies  that 
M(v.£ )  =  v1  for  some  value  v' . 

For  the  other  cases  of  e,  the  proposition  follows  directly  from  the 
operational  semantics.  □ 
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—  Syntactic  type  shorthands  for  notational  convenience:  — 

tc[t]  =  V[ti,t2,2e]  [t'l ,  7*2 ,  r3](Mr2  (t),  ac)  -A  0  x  etc  —  Basic  type  of  the  continuations  of  copy  — 

tk[t\  =  (32i :  I2.322  :  f2.32e  :  12  — »  Q..3ac  :  {?’i,  r2,  r3}.2c[2])  at  r3  —  Same  as  tc  but  closed  with  existential  packages  — 

—  The  main  GC  entry  point  — 

fix  gc[t:Q] [ri](/  :V[][r](Mr(t))  -►  0,  x :  Mri  (f)). 

let  region  r2  in 
let  region  r3  in 

let  c  =  (geendft,  int,  A2.2],  /)  in 

let  k  =  put[r3](ti  =  2, 22  =  int,  2e  =  A2.2,  ac :  {/’i,  r2,  r3}  =  V[][r](Mr(2))  0,c:2c[2])  in 

copy[t\[n,r2,r3](x,k) 

—  The  second  half  of  GC,  passed  as  a  continuation  to  copy  — 

fix  gcend[ti  :  12, 22  : 12, 2e  :  f2  — >  fi][ri,r2,r3](y:Mr2(2i),/:V[][r](Mr(2i))  — >  0). 
only  {r2}  in  f\\[r2](y) 

—  The  main  copy  entry  point  — 

fix  copy  [t :  12]  [n ,  r2 ,  r3]  (x :  Mri  (2 ) ,  k :  2fc  [2] )  ■ 

typecase  t  of 

int  =4>  open  (get  k)  as  ( ti,t2,te,ac,c )  in  (7nc)[fi,f2,fe][ri,r2,r3](x,7r2c) 

A  =»  open  (get  k)  as  (t1,t2,te,ac,c)  in  (7ric)[fi,f2,te][ri,r2,r3](x,7r2c) 

ti  x  t2  =>  let  c  =  (copypairlfti,  22,  At.f],  (7r2(get  x),  k))  in 

let  A;  =  put[r3](ti=ti,t2=t2,te  =  At.t,  ac:{ri,r2,r3}  =  Mri(f2)  x  tk[t],  c:tc[ti])  in 
copy  [t i]  [r i ,  r2 ,  r3]  (7ri  ( get  x) ,  k) 

3te  =^>  open  (get  x)  as  (tx,  y)  in 

let  c  =  (copi/ea:tstl[[tx,  int,  te],fc)  in 

let  A;  =  put[r3](fi=tx,t2  =  int,te  =  te,ac:{ri,r2,r3}  =  tk[t],  c:tc[teti])  in 
copy[tetx][ri,r2,r3\{y,k) 

—  First  continuation  when  copying  a  pair  — 

fix  copypairl[ti :  ft,  t2  :  ft,  te  :  ft  — +  ft][ri,  r2,  r3](a:i  :Mr2(ti),  c:  Mri(f2)  x  tk[ti  x  fa]), 
let  c'  =  {copypair2\t2,  ti,  At.f],  (xi,  n2c, ))  in 

let  fc  =  put[?'3](ti  =ti,  t2  =t2,  te  =  At.f,  etc :  {n,  r2,  r3}  =  M,2(ti)  x  tk[ti  x  t2],  c'  :tc[t2])  in 
copy  [t2]  [r i ,  r2 ,  r3]  (7ti  c,  fc) 

—  Second  continuation  when  copying  a  pair  — 

fix  copypair2[ti :  ft,  t2  :  ft,  te  :  SI  — >  fi][n,  f2,  r3](a2 :  Mr2  (f2),  c:  Mr2(ti)  x  tfefti  x  t2]). 
open  (get  (7r2c))  as  ( ti,t2,te,ac,c '}  in  (7nc')[ti,t2,te][r1,r-2,r3](put[r2](7ric,a:2),7r2c') 

—  Continuation  when  copying  an  existential  package  — 

fix  copyexistl[ti  :fl,  t2  :fl,  te  — >  Q][ri,  r2,  r3](a:  Mr2  (teti),  c:  tfc[teti]). 

open  (get  c)  as  (fl,t2,t'e,ac,c'>  in  (7nc,)[ti,t2,te][n,r2,r3](put[r2](t=t1,z:Mr2(tet)),7r2c') 

Figure  12:  The  basic  GC  code  after  CPS  and  closure  conversion. 


B.  Closed  CPS  garbage  collector 

Figure  12  presents  the  code  of  the  basic  collector  after  CPS  and 
closure  conversion  (the  direct-style  code  is  shown  in  Fig.  4).  The 
presence  of  free  tag  variables  in  the  continuations  requires  the  use 
of  a  form  of  translucent  types  for  the  typed  closure  conversion  [10]. 

In  the  general  case  typed  closure  conversion  also  requires  exis¬ 
tential  quantification  over  kinds,  but  in  the  present  case,  we  can 
avoid  it  by  using  a  superset  of  all  possible  kinds:  since  some  con¬ 
tinuations  require  ti,f2  of  kind  fi,  12  while  others  only  need  ti,te 
or  kind  12,  (12  — >  12),  we  unify  the  two  into  ti,  t2,  te  where  some 
of  the  arguments  are  simply  left  unused. 

The  verbose  type  annotations  make  it  look  more  scary  than  it 
really  is.  Four  new  functions  were  introduced  because  of  CPS  con¬ 
version.  They  are  all  used  as  continuations  to  calls  to  copy: 

1.  geend  is  the  code  executed  at  the  end  of  the  toplevel  call  to 
copy  and  just  finishes  the  garbage  collection  by  freeing  the 
from  space  and  calling  back  the  mutator. 

2.  copyexistl  is  the  continuation  of  the  recursive  call  to  copy  an 


existential  package. 

3.  Since  copying  a  pair  requires  two  recursive  calls,  we  need 
both  copypairl  for  the  continuation  of  the  first  call  and  copy- 
pair'^ 1  for  the  continuation  of  the  second. 

Since  the  code  has  to  be  closed,  all  the  free  variables  need  to 
be  passed  explicitly  via  the  continuation  object  k  whose  type  is 
abbreviated  as  tk  [2]  but  is  really  a  big  existential  wrapper  around 
the  real  data  whose  type  is  abbreviated  as  tc  [2] . 

C.  Soundness  of  A ceforw 

As  before.  We  use  the  usual  exchange  and  weakening  proper¬ 
ties  of  environments  without  proving  them.  The  code  region  cd  is 
always  implicitly  part  of  the  environment.  Even  when  the  environ¬ 
ment  is  restricted  to  a  particular  set,  say  11/ j  a,  the  code  region  is 
included  in  the  restricted  set. 

We  will  show  the  proofs  only  for  the  extensions.  The  only  non¬ 
trivial  extension  is  the  widen  construct.  The  proofs  of  the  propo¬ 
sitions  for  the  other  constructs  follow  in  a  straightforward  way  by 
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induction  over  the  derivations. 

Because  of  the  widen  operator,  the  notion  of  a  well  formed  ma¬ 
chine  state  has  to  be  slightly  adjusted  to  allow  non-well-formed 
memory  elements  as  long  as  they  can  be  shown  not  to  influence  the 
execution: 

Definition  C.l  The  machine  state  ( M ,  e)  is  well  formed  iff 


3.  //>]/;  A;  0;  <t>,  a:  A';  T  b  op  :  a  and  A';  0;  $  b  a1 
then  A;  0;  <f>;  Y\tj' /a\  b  op[a'/ot\  :  a \cr'/oi\ 

4.  //f;A;0;$,a:A';rh  e  and  A';  0;  $  b  a' 
then  A;  0;  $;  T[a' /a]  b  e[cr, /a] 

Proof  Same  thing  here,  the  induction  hypothesis  can  always  be 
applied  directly.  □ 


M  C  M  bM:$  be 

I-  (M,e) 

Note  that  to  show  well-formedness  we  now  need  to  find  not  only 
a  witness  \E'  but  also  a  proper  M  subset. 

The  reason  is  that  widen  casts  the  whole  live  heap  from  one 
type  to  the  other  but  cannot  cast  any  arbitrary  M  because  it  might 
include  existential  packages  of  the  form  (a :  A  =  ai ,  v :  a2)  where 
casting  a  would  require  an  update  of  M,  which  goes  against  the 
idea  that  widen  is  a  nop. 

This  problem  appears  when  we  try  to  prove  type  preservation, 
which  is  the  main  obstacle  to  show  soundness  of  the  widen  opera¬ 
tor,  whose  proof  uses  two  lemmas  for  the  following  two  steps: 

1 .  First,  we  construct  a  M  which  only  contains  elements  that  we 
can  cast  (i.e.  of  type  Mp(r))  and  we  show  that  the  state  is 
still  well-formed.  This  is  the  case  because  when  we  reach  a 
widen,  all  the  live  data  if  of  such  a  type, 

2.  Then  we  show  that  when  everything  has  a  type  of  the  form 
Mp  (r),  we  can  cast  every  single  type  consistently  to  its  CPtP>  (r) 
equivalent  and  the  result  is  still  properly  typed.  This  relies  on 
the  subsumption  rule  on  sum  types  and  the  fact  that  C  types 
only  differs  from  M  types  by  adding  branches  to  sum  types. 


Lemma  C.4  (Value  Substitution) 

1.  Ifty;  A;  0;  <f>;  T,  x:a  b  op  :  a' 
and  f;  A;0;$;r  b  t)  :  a 

then  <1/;  A;  0;  $;  T  b  op[v/x\  :  a'. 

2.  //>T;  A;0;$;r,x:cr  b  e 
and  f;  A;0;$;T  b  t)  :  a 
then  T';  A;  0;  <f>;  T  b  e[v/x\. 

Proof  The  proof  is  by  induction  over  the  derivation  of  the  type 
judgment.  Most  of  the  cases  follow  directly  from  the  induction 
hypothesis.  Exceptions  are: 

widen  We  need  to  show  that  the  substitution  on  e  has  no  effect, 
which  is  easy  since  the  variable  we  are  substituting  cannot 
occur  freely  in  e. 


□ 


Definition  C.5  Let  \P|  |y|  be  the  restriction  of'l!  to  pieces  of  code 
or  elements  of  type  M„(t): 


’S'Um  =  M:cr  I  ’I'M)  =  c  A 


(a  =  M[f\[f\{wrd)  ^0  V 

yv  3t.(<t  at  v  =  M„/(t)) j  ' 


Lemma  C.2  (Region  Substitution) 


Note  that  since  cd  only  contains  functions,  \D|  y  will  preserve  all 
its  contents. 


1.  If 'll',  A,  r;  0;$;T  b  op  :  a 

then  T';  A,  v\  0;  T\v/r\  b  op[v/r\  :  cr[v/r\. 

2.  P;A,r;0;$;rb  e 

then  T1;  A,  v\  0;  <&\y/r\\  Y[v/r\  b  e[v/r\. 

Proof  Straightforward  proof  via  induction  over  the  derivation  of 
the  typing  judgment.  Note  that  v  £  Ik  is  not  required  here, 
case  let  x  =  widen [p'][r](v)  in  e:  We  have  that 
T';A,r;0;<I);r  b  let*  =  widen  [p']  [r](v)  in  e.  This  implies 
T1;  A,r;0;$;rb»  :  Mp(r)  and 

T'|cc|;cd,p,p';0;$|pp/;a::Cpip/(r)  b  e.  Applying  lemma  C.2. 1 
to  the  derivation  for  v  we  get  that 
H/;  A,  ir,  0;  <b[v/r\\T\v/r\  b  v[u/r\  :  Up[„/r]{r)  since 
Mp(r)[i//r]  =  Mp[p/r](r). 

If  either  p  =  r  or  p'  =  r  then  the  inductive  hypothesis  on  the 
derivation  of  e  and  lemma  A.2  and  the  fact  that  CP}f)i  (r)[v/r\  = 
C (p,p')b/r]  (t)  leads  to  the  required  result. 

In  the  other  case,  T>[z//r] | pp/  =  $|Pp',  where  Dom(&\ppi)  (T 
T)om(<^>,)  is  empty.  Moreover,  r  does  not  occur  free  in  e.  Since 
we  can  extend  environments  with  new  bindings  we  get  that 
\&lcd;  Cd,  p,  p';  0;  ‘E’lpp',  <f>/;  *:  CPip/(r)  b  e.  This  leads  to  the  re¬ 
quired  result.  □ 

Lemma  C.3  (Type  Substitution) 

1.  If 'll',  A;  0,  t :  ft;  T>;  T  b  op  :  a  and  ©  b  t  :  k 
then  \D;  A;  0;  <F;  T[r/f]  b  op[r/f]  :  cr[r/f]. 

2.  //$;  A;0,(:k;$;T  b  e  and  0  b  t  :  n 
then  \D;  A;  0;  >I>;  T[r/f]  b  e[r/t]. 


Lemma  C.6  If'i’;  Dom(fS>)\ •;  •;  ■  b  v  :  M ^(t)  then 
D°m{fl!\v)\ •;  •;  •  b  v  :  M„(t) 

Proof  By  the  definition  of  the  M  type,  v  is  either  of  type  int  or  of 
type  <7  at  v.  The  lemma  follows  trivially  if  v  is  of  type  int.  Consider 
the  other  cases. 

case  M„(t  — ►  0):  In  this  case  v  =  cd.£.  Therefore 
T'(cdT)  =  V[][r](Mr(r))  — >  0.  Therefore 

M(cd.£)  =  \\\[r](xT&) .e.  The  lemma  now  follows  since  the  body 
e  is  typed  only  under  the  code  region  *I'|CC|  and  the  region  environ¬ 
ment  cd,  r. 

case  M„(ti  x  rf)’-  We  again  have  that  v  =  v.£.  Therefore, 

'h(v.£)  =  left(M,y(ri)  x  (t 2)).  This  implies  that  M(y.£)  = 

\n\v’.  We  know  that 

'T;  Dom(f);  •;  •;  •  b  ini  v’  :  left(M„(n)  x  M„(t2)) 

This  implies  that 

+  ti'  :  (M„(ti)  x  M^(t2)) 

This  implies  that  vr  =  (vj,  *2)-  From  the  typing  rules  we  get  that 
'T;  Dom('T);  •;  •;  •  b  v[  :  M„(n)  and 

T1;  Dom('T);  t4  :  M„(r2).  Applying  the  inductive  hypoth¬ 

esis  to  the  derivations  for  v'i  and  v'2,  we  get  that 
'I'L.M;  Dom(fh\v)-,  •;  •;  •  b  v[  :  M„(n)  and 
T,|i/  M;-Dom(T'|„);  •;  •;  •  t  v'2  :  M  ^(*2).  The  required  result  fol¬ 
lows  from  this. 

case  M„(3t.r):  We  again  have  that  v  =  v.£.  Therefore, 

=  left(3f.M„(r)).  This  implies  that  M(y.£)  =  ini  v'.  We 
know  that 
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'I';  Dom(f);  •  F  ini  v'  :  left(3f.M„(r)) 

This  implies  that 

>F;  Domlfh)-,  ft)'  :  3i.Mi/(r) 

This  implies  that 

v'  =  ( t  =  T  ,  v"  :  M,y(r)}.  From  here  we  get  that 

'F;  Dom('h);  •  h/  :  (M„('r))[TVf]-  But  we  have  that 

(M /t\  =  M„(r[r,/t]).  Therefore,  applying  the  inductive 

hypothesis  to  the  derivation  for  v" ,  we  get  that 

'F|./  m;  Dom{^\u)-,  •;  •;  •  F  v"  :  M„(t[t'  /(]).  The  required  result 

follows  from  this.  □ 

Definition  C.7  Let  Tp^pt  be  the  type  operator  that  turns  a  type  of 
the  form  Mp(t)  into  a  type  of  the  form  C p,p'(r)  and  keeps  code 
pointer  types  unchanged: 


left((w(ri)  x  C^(r2)) 
'(r2  x  t2)) 


ini  t/ 


^right(M„ 


This  is  the  required  result. 

case  M,y(3f.r):  The  proof  proceeds  exactly  as  in  the  previous  case. 
We  only  need  to  use  the  fact  that  (C py  ('r))[r,/f]  =  C PiPi  (t[V  /t\) 
□ 


Proposition  C.9  (Type  Preservation) 

If  h  (AT,  e)  and  (AT,  e)  =>  (AT',  e')  then  F  (AT',  e'). 

Proof  The  proof  is  by  cases  on  the  structure  of  e.  For  each  possi¬ 
ble  case,  we  use  the  typing  derivation  together  with  the  evaluation 
step  to  get  the  derivation  of  the  new  typing  judgment.  This  mostly 
relies  on  the  substitution  lemmas.  We  only  show  the  more  interest¬ 
ing  cases. 


Tpy(Mp(r))  =  Cpy(T) 

Tp,p'{^[T][r\{v^)  -*■  o  at  p)  =  V[r][r](t7T<?)  ->  0  at  p 
We  also  use  this  operator  on  \F  where  it  is  defined  as: 

Tpy{\ F)  =  {vl:o  |  Vl ’(vl)  =  o'  A  Tpy(o'  at  p)  =  a  at  p} 

Note  that  the  two  parts  of  the  definition  of  Tp  p>  (o)  overlap  but 
are  consistent  since  Mp(t)  and  Cp.p/(r)  are  identical  in  the  case 
when  r  is  an  arrow  type.  Also,  since  cd  only  contains  functions, 

Tp  pi  ('F)  does  not  change  the  type  of  cd.  Finally  since  both  M  and 
C  are  iterators,  the  T  type  operator  can  be  defined  as  an  iterator. 

Lemma  C.8  If'&\] jyyj ;  Dom('h\u)\ •;  •;  ■  F  v  :  M u(t),  then 
T„yWU! b  v  :  Cw(r) 

Proof  When  v  is  of  type  int,  the  lemma  follows  trivially, 
case  M„(t  — >  0):  In  this  case  v  =  c61  and 
AT(cd.T)  =  A[][r](irT<T).e.  This  implies  that 
’F |ccj ;  Cd,  r;  •;  •;  xTf  h  e.  Since  M„  (A  — +  0)  =  Cvv'(t'  — +  0) 
the  type  operator  T  is  the  identity  for  code  types.  Therefore,  the 
cast  will  leave  the  type  of  the  code  region  unchanged.  Therefore 
'F | cc|  =  (Tvy  (\P | ^  M))lcd'  This  leads  to  the  required  result, 
case  M„(n  x  r2):  We  again  have  that  v  =  vl.  Therefore, 

>F( vl )  =  left(M„(i~i)  x  MJ/(r2)).  This  implies  that  M(yl)  = 
ini  v' .  We  know  that 

Dom.('F);  •  F  ini  v'  :  left(M„(n)  x  M„(r2)) 

This  implies  that 

*F;  Dom(' F);  •;  •;  ■  h  v'  :  (M„(n)  x  M„(t2)) 

This  implies  that  v'  =  (v[,v2).  From  the  typing  rules  we  get  that 
\F;  Dom.if F);  •;  •;  •  h  v[  :  M„(ti)  and 

\F;  Dom.(f F);  •;  •;  •  h  v2  :  Ml,(r2).  Applying  lemma C. 6  to  the  deriva¬ 
tions  for  v\  and  v2,  we  get  that 

•  F  v[  :  M,y(n)  and 

’F | ^  M ;  T>oto('P|„);  •;  •;  •  F  v2  :  M,y(r2).  Applying  the  inductive 
hypothesis  to  the  derivations  for  v[  and  v2  we  get  that 
T„y{'5'\wM);Dom(ty\„),v' F  v[  :  C„„>(ti)  and 
T„yW„  M);Dom(y\„),v'-,-,-,-\-  v’2  :  CI/l//(r2).  From  here  we 
can  conclude  that 

Tvy(iS>\i am):  Dom{\ P|„),  z/;  ■  F 

ini  v'  :  leftfC^^/  (ti)  X  C p^(r2)) 

By  the  subtyping  rule  we  can  conclude  that 


•  (AT,  let  x  =  v  in  e)  =>■  (AT,  e[v/x\) 

Front  F  (AT,  let  x  =  v  in  e)  we  get  that  F  AT :  4/  and 

'F;  Dom('F);  •;  •;  ■  F  let  x  =  v  in  e.  The  derivation  in  turns 

tells  us  that  >F;  Dom('F);  •;  •;  •  F  v  :  o  and 

IF;  Dom(f F);  x :  cr  F  e.  At  this  point,  we  can  apply 

value  substitution  to  get  *F;  Dom(vF);  •  F  e[v/x\. 

•  (AT,  only  A  in  e)  ==>■  (AT|  a,  e) 

Here  we  get  T*;  Dom(x F);  •;  •;  ■  F  only  A  in  e  which  gives  us 
\F|a;  A;  •  F  e.  Since  AT  C  AT,  we  have  that 
AT|a  C  AT|a.  Moreover,  we  know  that  A  C  Dom.(\ F). 
Therefore,  Dom.('FjA)  =  A. 

•  (AT,  let  x  =  widen [v'][t](v)  in  e)  =*-  (AT,  e[v/x\) 

We  know  that  if  AT :  4/,  then  we  have  that 

'F;  Dom.('F);  •;  •;  ■  F  let  x  =  widen [i^']  [t] (v)  in  e.  This 

implies  that  4/;  Dom('F);  •;  •;  •  F  v  :  M„(t)  and 

vFIcd^d,  v,  v'-,  •;  •; ,  x :  C (r)  F  e  for  some  v  and  v' 

belonging  to  T)om('F).  By  lemma  C.6  we  have  that 

fF  |  ^  y;  Dom.(fh\v)\  •;  •;  ■  F  v  :  M„(r).  By  lemma  C.8  we 

have  that  T’„,i,'('F|i, jy|);  T)om('F|„);  •;  •;  ■  F  v  :  C„„'(t). 

But  we  have  that  T„p,/('F|i/ 1^|)  =  xF|cc|,  >F'  for  some  T'' 

since  the  cast  leaves  the  code  type  unchanged.  Also 

\F'  =  T„l//('F|j/  |\y|)  Since  we  can  extend  the  environment, 

we  have  that  fF | cc| ,  \F';  cd,  v,  v1-,  •;  •; ,  x\Cvi/i{t)  F  e. 

Applying  lemma  C.4.2  we  get  that 

T  |  ,  4/';  cd,  v,  v1  ■  F  e[v/x\.  This  implies  that 

^icd’  v'  ^  {};  cd:  F  e[v/x\.  If 

AT :  \F|ccj,  \F',  v'  {},  then  clearly  AT  C  AT.  This  leads  to 

the  required  result. 

□ 

Lemma  C.10  (Canonical  forms) 

1.  If' F;  A;  •;  •;  ■  F  v  :  int  then  v  =  n. 

2.  If' F;  A;  •;  •;  •  F  v  :  o  at  p  then  v  =  vl. 

3.  If' F;  A;  ■  F  t;  :  <Ti  x  cr2  then  v  =  (vi,t>2). 

4.  If' F;  A;  •  F  i;  :  3t.cr  then  v  =  {t  =  r,v'  :o). 

5.  If  >F;  A'  F  v  :  3cv:  A.  o  then  v  =  (a:A  =  cri,v':o2). 

6.  If' F;  A:  •;  •;  •  F  r  :  V|[r]|  [r]  (a)  -A  0  then  v  =  t/[r]. 

7.  T/'F;  A;-;  -;-F  v  :  V[f:"k][r|(a)  ->  0 
then  v  =  X[t:K,][f\(xTo).e. 
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Proof  The  proof  follows  from  the  inspection  of  the  typing  rules 
for  values.  □ 

Proposition  C.ll  (Progress)  If  b  (AT,  e)  then  either  e  =  halt  v 
or  there  exists  a  ( M e1)  such  that  (AT,  e)  =>  ( M e'). 

Proof  The  proof  is  again  by  cases  on  the  structure  of  e.  It  uses 
lemma  C.  10.  □ 

D.  Soundness  of  A GCgen 

In  this  section,  we  prove  the  soundness  of  A GCgen-  We  will 
prove  soundness  in  the  same  way  -  with  the  subject  reduction  and 
progress  lemmas.  Since  A  GCgen  is  just  an  extension  of  A  ac,  we 
will  prove  the  required  lemmas  only  for  the  new  cases.  As  usual 
we  will  use  the  exchange  and  widening  lemmas  for  environments 
throughout  the  section. 

Lemma  D.l  If  A;  0;  $  b  a,  then  A  [v/r\;  0;  <&\y/r\  b  cr[v/r\. 

Proof  The  proof  is  by  induction  over  the  derivation  of  a.  □ 

Lemma D.2  (f&[v/r\) |a  v  =  ($|a  r)[v/r\  and 

O/rDk,  =  (rk-Mr] 

Proof  Same  as  lemma  A.2.  □ 

Lemma  D.3  (MP1,p2('r))[r,/f]  =  Mp1jP2  (t[t'/£])  and 
(^P1,P2  (7_))  W/r\  ^PlW/r],p2[v/r]  7) 

Proof  Proved  by  considering  the  different  possible  reductions  of 

Mpi,P2(r)-  n 

Lemma  D.4  If 'll;  A,  r;  0;  <F;  T  b  op  :  o,  then 
\F;  A,  v;  0;  Q[v/r\;  rfip/r-j  b  op[v/r\  \  o[v/r\ 

Proof  The  proof  is  a  straightforward  induction  over  the  deriva¬ 
tion  for  op.  Note  that  A,  v  =  (A,  r)[v/r].  It  uses  lemma  D.3  for 
the  case  involving  subtyping  with  the  Mpj  jP2  (r)  type, 
case  (r'  £  A'  =  p,  v) :  We  have  that 

$;A,r;0;$;rh  ( r '  €  A'  =  p,v)  :  3r'  £  A'. (a  at  r') 

This  implies  that 

’F;  A,  r;  0;  <I>;  T  h  v  :  o[p/r']  at  p  and  p  £  A'  and  A'  C  A,  r. 
Applying  the  inductive  hypothesis  we  get  that 

\F;  A,  v;  0;  &[v/r\;  Y[v/r]  b  v[v/r\  :  {&[p  /  r'])[v  /  r\  at  p[v/r\ 

This  implies  that 

>F;  A,  v;  0;  <&{v/r\;  T[v/r ]  b 

v[u/r\  :  (cr W/r])[(p{v/r])/r']  at  p[v/r\ 

Moreover,  A' [v/r]  C  A,  v  and  p[v/r]  £  A '[v/r\.  This  implies 
that 

T';  A,  v;  0;  $[v/r\;  T[v/r\  b 

(r'  £  A '[v/r]  =  p[v/r],  v[v/r])  :  3r'  £  { A.'[v /r]}.(cr\v /r]  at  r') 

□ 

Lemma  D.5  If 'S’  ;  A,  r;  0;  <t>;  T  b  e,  then 
\F;  A,  v;  0;  <E>[j^/r-] ;  T[ip/r]  h  e[v/r] 


Proof  The  proof  is  by  induction  over  the  derivation  of  e.  Note 
that  A,  v  =  (A,r)[t//r].  We  will  consider  only  the  extra  cases 
here. 

case  open  v  as  (r',  x)  in  e:  We  have  that 

>F;  A,  r;  0;  $;  T  h  open  v  as  (r  ,  x)  in  e 
This  implies  that 

>F;  A,  r,  r'\  0;  ID;  T,  x:o  at  r'  b  e 

and  \F;  A,  r;  0;  <F;  T  b  v  :  3r'  £  A'.((t  at  r').  Applying  lemmaD.4 
to  the  derivation  for  v  we  get  that 

T';  A,  v;  0;  Q[v/r\;  F^/r]  b  v[v/r]  :  3 r'  £  A '  [v  /  r].{a[v  /  r]  at  r') 

Applying  the  inductive  hypothesis  to  the  derivation  for  e  we  get 
that 

<F;  A,  v,  r' ;  0;  <F[i'/r];  T[v /r],x\o[v /r]  at  r'  b  e[v/r] 

From  this  we  get  that 

;  A,  v;  0;  <b[v/r];  Y[v/r]  b  open  v[v/r]  as  (r' ,  x)  in  e[v/r] 
case  ifreg  (ri  =  r2)  ei  e2:  We  have  that 

T';  (A,r)[r',r'/ri,r2];  0;  <F[r',  r'/n,  r2];  F[r',  r'/n,  F2]  b 
ei[r'  ,r' /r1,r2] 

and  IF;  A,  r;  0;  <F;  T  h  e2  and  r'  (/  A,  r.  Applying  the  inductive 
hypothesis  to  the  derivation  for  e2  leads  to 

\F;  A,  v;  0;  <E>[z^/r-];  T [v/r]  b  e2[v/r\ 

Applying  the  inductive  hypothesis  to  the  derivation  for  ei  and  using 
the  fact  that  r  is  different  from  n  and  r2  we  get  that 

'F;  (A,  v)[r' ,  r'/ri,  r2];  0; 

(<&[v/r])[r'  ,r' /n,r2];  {Y[v/r])[r' ,  r'/n,  r2]  h 
(ei[v/r])[r'  ,r' /n,r2] 

This  leads  to  the  required  result, 
case  ifreg  (r  =  r2)  ei  e2:  We  have  that 

A,  r;  0;  $;  T  b  ifreg  (r  =  r2)  ei  e2 
This  implies  that 

<F;  (A,  r)[r',r'/r,  r2];  0;  <F[r',  r'/r,  r2];  F[r',  r'/r,  r2]  b 
ei[r',  r'/r,  r2] 

and  >F;  A,  r;  0;  <F;  T  h  e2.  We  must  prove  that 
*F;  A,  v;  0;  <b[v  /  r];T[v  /  r]  b  ifreg  ( v  =  r2)  e\[v/r]  e2[v/r] 

This  implies  that  we  must  prove  that 
\F;  A,  v;  0;  <&[y/r\;  FJ^/r]  b  e2[v/r]  and 

(A,  u)\u /r2\;  0;  {<&[v / r])[v / r2]\  {T[v /r])[v /r2]  b 
(ei  [v/r\)[v/r2] 

This  implies  that  we  must  prove  that 

*F;  (A ,r)[v,  v/r,  r2];  0;  <F[r/,  v/r,  r2];  Y[v,  v/r,  r2\  b 
e\[v,  v/r ,  r2\ 

Applying  the  inductive  hypothesis  to  the  derivation  for  e2  leads 
to  the  required  result  for  this  derivation.  In  the  case  for  ei,  we 
substitute  for  r'  and  applying  the  inductive  hypothesis  and  the  fact 
that  r'  (/  A,  r  leads  to  the  required  result. 

case  ifreg  ( v '  =  r2)  ei  e2:  This  case  follows  directly  from  the 
inductive  hypothesis  on  the  derivations  of  ei  and  e2  and  using  the 
fact  that  v'  7  v  and  r  7  r2. 

case  ifreg  ( v  =  r2)  ei  e2:  This  case  follows  directly  from  the 
inductive  hypothesis  on  the  derivations  of  ei  and  e2  and  using  the 
fact  that  r  r2. 

case  ifreg  (v1  =  r)  ei  e2:  We  have  that 
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\P;  A,  r;  0;  <P;  T  b  ifreg  (1/  =  r)  ei  e2 
This  means  that  we  know  that 

A,  r;  0;  <f>;  T  b  e2 

We  have  to  prove  that 

ip;  A,  v;  0;  <1 '{v/r\;  Y[v/r\  b  ifreg  (V  =  v)  ei[v/r\  e2[v/r\ 

This  implies  that  we  have  to  prove  that 

ip;  A,  v;  0:  <f >[v  /  r\;Y[v  /  r\  b  e2[^/r] 

Applying  the  inductive  hypothesis  to  the  derivation  for  e2  leads  to 
the  result. 

case  ifreg  (v  =  r)  e\  e2:  We  have  that 

VP;  A,  r;  0;  <f>;  T  b  ifreg  (v  =  r)  ei  e2 
This  means  that  we  know  that 

\P;  A,  v;  0:  Q[v/r\;  Y[v/r]  b  e\[v/r] 

We  have  to  prove  that 

ip;  A,  v;  0;  <f>[i//r];  Y[v/r\  b  ifreg  (v  =  v)  ei[v/r\  e2[i'/r] 
This  implies  that  we  have  to  prove  that 

\P;  A,  u;  0:  <J>[r//r];  Y[v/r]  b  e\[v/r\ 

But  we  already  know  this.  □ 

Lemma  D.6  //0,  t :  k!  b  r  :  K  and  ©  b  t'  :  k',  then 
0  b  t[t' /t\  :  K 

Proof  The  proof  is  a  straightforward  induction  over  the  structure 
of  r.  □ 

Lemma  D.7  If  A;  0,  t :  k;  <f>  b  a  and  0  b  r  :  K,  then 
A;  0;  <f>  b  o[r/f\ 

Proof  The  proof  is  again  a  straightforward  induction  over  the  struc¬ 
ture  of  a.  □ 

Lemma  D.8  If 'it;  A;  0,  t :  k;  <f>;  F  b  op  :  o  and  0  b  r  :  k  then 
Tb  A;  0;  <f>;  Y[r/t }  b  op[r/t\  :  o[r/t\ 

Proof  The  proof  is  by  induction  over  the  derivation  for  op.  □ 

Lemma  D.9  If 'll;  A;  0,  t :  k;  F  b  e  and  •  b  r'  :  s  then 
^;A;0;$;r[r7f]  be[r'/f] 

Proof  The  proof  is  again  by  induction  over  the  derivation  for 
e.  □ 

Lemma  D.10  If  A;  0;  <f>,  a :  A'  b  o  and  A';  0;  <f>  b  o',  then 
A;  0;  d?  b  o[o' / a] 

Proof  The  proof  is  a  straighforward  induction  over  the  structure 
of  a.  □ 

Lemma  D.ll  If 'll;  A;  ©;$,«:  A';  T  b  op  :  a  and  A';  0;  <f>  b  o' 
then 

\I/;  A;  0;  <f>;  Tlcb/a:]  b  op[o' / a]  :  o[o' / a] 

Proof  The  proof  is  again  by  induction  over  the  typing  derivation 
for  op.  We  will  consider  only  the  case  for  region  packages, 
case  (r  €  A'  =  p,  v):  We  have  that 

$;A;0;$,a:A';rb  (r  <=  A'  =  p,v)  :  3r€  A'.(a  at  r) 


and  A';  0;  <t>  b  o' .  This  implies  that 

T1;  A;  0;  $,  a :  A';  V  b  v  :  cr[p/r]  at  p  and  p  £  A'  and  A'  C  A. 
Applying  the  inductive  hypothesis  we  get  that 

\P;  A;  0;  $;  r[cr,/a]  I-  v[o' /a\  :  (o[p / r])[o' / a]  at  p 

Since  r  does  not  occur  in  A,  and  A'  C  A.  therefore  r  does  not 
occur  free  in  o' .  Therefore  we  have  that 

\P;  A;  0;  $;  r[cr,/a]  ^  v[o' /a\  :  (o[o' / a])[p / r\  at  p 

This  leads  to  the  lemma.  □ 

Lemma  D.12  If  T1;  A;  0;  <f>,  a :  A';  T  b  e  and  A';  0;  <E>  b  o'  then 
\P;  A;  0;  $;  rftr'/a]  b  e[<r'/a] 

Proof  The  proof  is  by  induction  over  the  derivation  of  e. 
case  open  v  as  (r,  x)  in  e:  We  have  that 

ip;  A;  0;  <t>,  a:  A';  T  b  v  :  3reAi.(cr  at  r) 

and  \P;  A,  r;  0;  <P,  a  :  A';  T,  x :  o  at  r  b  e.  Applying  lemma  D.l  1 
to  the  derivation  for  v  we  get  that 

ip;  A;  0;  <f>;  Y[o' /a]  b  v[o' /a]  :  3r  £  Ai ,(o[o' /a]  at  r) 

Applying  the  inductive  hypothesis  to  the  derivation  for  e  we  get 
that 

ip;  A,  r;  0;  <f>;  T[o' / ot],x\o[o' / a]  at  r  b  e[o' /a] 

This  leads  to  the  required  result, 
case  ifreg  (ri  =  r2)  ei  e2:  We  have  that 
\P;  A;  0;  $,  a :  A';  Y  b  e2  and 

>P;  A[r,  r/n,r i];0; 

<f>[r,  r/n,  n],  a:  A'[r,  r /n,n];Y[r,  r/n,  r2]  b 
ei[r,  r/n,r2] 

Applying  the  inductive  hypothesis  to  the  derivation  of  e2  leads  to 
Tb  A;  0;  <f>;  Y[o' /a]  b  e2[cr'/a:] 

By  lemma  D.  1  we  have  that 

A'[r,  r/ri,r2];0;<f>[r,r/ri,r2]  b  cr'[r,  r/n,  r2] 

Substitute  o'\r,  r/r\,  r2]  in  the  derivation  for  ei  and  by  applying 
the  inductive  hypothesis  we  get  that 

ip;  A[r,  r/n,n];  0;  <P[r,  r/n,n];  (Y[o' /a])[r,  r/ri,  r2]  b 
(ei[c7'/a])[r,  r/r1,r2] 

This  leads  to  the  required  result, 
case  ifreg  (r  =  u)  ei  e2:  We  have  that 
\P;  A;  0;  $,  a :  A';  Y  b  e2  and 

ip;  A [v/r\  \  0;  ^[v/r],  a:  A'[v/r\;  Y[v/r]  b  ei[^/r] 
Applying  the  inductive  hypothesis  to  the  derivation  of  e2  leads  to 
\P;  A;  0;  <f>;  r[cr'/a]  b  e2[cr'/a] 

By  lemma  D.  1  we  have  that 

A'[v/r\;  0;  <P[^/r]  b  o'[v/r\ 

Substituting  o'[v /r\  in  the  derivation  for  ei  and  applying  the  in¬ 
ductive  hypothesis  gives  us  that 

ip;  A[v/r\;  0;  <&[v/r\;  {Y[o' / a\)[v / r]  b  (ei[o' / a])[v / r] 

which  leads  to  the  required  result.  □ 

Lemma  D.13  If  ip;  A;  0;  $;  T,  x :  o'  b  op  :  o  and 
ip;  A;  0;$;rb»'  :  o'  then 
\P;  A;  0;  <P;  T  b  op[v' /x]  :  o 
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Proof  The  proof  is  by  induction  over  the  typing  derivation  for 
op.  The  new  cases  follow  in  a  straightforward  way.  □ 

Lemma  D.14  If  it:  A;  0;  <k;  T  b  v  :  a  and  Ai;  0;  <f> |  Aj  h-  a  and 
Ai  C  A,  then  \&|ai  ;  Ai;  0;  <E>|ai  ;  T|ai  v  :  a 

Proof  The  proof  is  by  induction  over  the  derivation  for  v.  We 
will  show  only  the  extra  case  here, 
case  (r  £  A2  =  p,v):  We  have  that 

\k;  A;  0;  <f>;  T  h-  (r  £  A2  =  p,v)  :  3 r£  A2.(cr  at  r).  This  implies 
that 

$;A;0;$;TI-t)  :  cr  [p/r\  at  p  and  p  £  A2  and  A2  C  A.  We 
also  have  that 

Ai;©;®^!  h  3r£  A2.(cr  at  r).  This  implies  that  A2  C  Ai. 
Moreover, 

Ai,  r;  0;  $|a!  I-  cr.  By  lemma  D.l  we  get  that 

Ai,  p;  0;  ($|ai  )[p/r]  h-  <j\p/r\.  But  since  p  £  Ai  and  r  does  not 

occur  free  in  <kj  a1  ,  we  get  that 

Ai;0;<f>|Ai  a[p/r\.  Applying  the  inductive  hypothesis  to  the 

derivation  for  v  we  get  that 

'J'Iaj;  Ai;0;<f>|Ai;T|Ai  ►  v  :  cr  [p/r]  at  p.  This  implies  that 
T'|a1;  Ai;  0;  rjAt  h  (r  £  A2  =  p,  v)  :  3r£  A2.(cr  at  r) 
□ 

Lemma  D.15  If  it:  A;  0;  <k;  T,  x:a  h  e  and 
\k;  A;  0;  <f>;  T  h-  v  :  cr  then 
'5>;  A;  0;  <f>;  T  h  e[v/x\ 

Proof  The  proof  is  by  induction  over  the  derivation  of  e.  We  will 

only  consider  the  case  for  ifreg. 

case  ifreg  (r  =  u)  ei  e2:  By  definition  we  have  that 

:  A[i//r];  0;  <k[ic/r];  T[u/r\,  x :  cr\v/r\  I-  ei  \v/r\ 

and  hk;A;0;$;r,x:cr  h  e2.  Applying  the  inductive  hypothesis 

to  the  derivation  of  e2,  we  get  that 

\k;  A;  0;  <f>;  T  h  e2[x/x].  By  lemma  D.4  we  know  that 

\k;  A[i//r];  0;  i>\v/r\\  T\v/r\  h-  v\v/r\  :  o[v/r\ 

Substituting  v[v/r\  for  x  in  the  derivation  for  e  1  leads  to  the  lemma, 
case  ifreg  (ri  =  r2)  ei  e2:  By  definition  we  have  that 

’P;  A[r,r/n,r2];0; 

T>  [r,  r /n ,  r2] ;  T  [r,  r/r  1 ,  r2] ,  x :  cr  [r,  r/r  1 ,  r2]  h- 
ei[r,  r/n,r2\ 

and  r]/;  A;  0;  $;  T,  x  :cr  h  e2.  By  lemma  D.4  we  know  that 

\fr;  A [r,  r/n ,  r2] ;  0;  4> [ r ,  r/r  1 ,  r2] ;  T [r,  r /n ,  r2\  \~ 
v[r,  r/ri,  r2]  :  o[r,r/n,r2\ 

Substituting  v[r,  r/ri,r2]  and  t;  in  the  derivation  of  ei  and  e2 
respectively,  and  applying  the  inductive  hypothesis  leads  to  the 
lemma.  □ 

Proposition  D.16  (Type  Preservation)  If  h  (AT,  e)  c/uc/ 

(AT,  e)  =»  (AT',  e')  then  h  (AT',  e'). 

Proof  The  proof  is  by  induction  over  the  evaluation  relation.  We 
will  consider  only  the  additional  cases  here.  The  lemma  follows  in 
a  straightforward  way  for  the  ifreg  cases, 
case  open  (r  £  A  =  v,  v)  as  (r,  x)  in  e:  We  know  that 

4/;  Dom(vk);  -;-c;  -  ■(-  open  (r  £  A  =  v,  v)  as  ( r ,  x)  in  e 

This  implies  that 

;  Domtlf);  -  (r  £  A  =  i/,v)  :  3r  £  A  .(cr  at  r) 


where  A  C  Dom('k).  By  the  typing  rule  for  region  packages,  we 

have  that  v  £  Dom(' T)  and  that 

\k;  Dom.(\k);  hr  :  o[v/r\  at  v.  We  also  have  that 

\k;  Dom.(\k),  r;  x :  cr  at  r  h  e.  By  lemma  D. 5  and  since  v  £ 

Zfom('k)  we  get  that 

\k;  Dom(hk);  •;  •;  x :  a\v/r\  at  v  H  e[i//r] 

Applying  lemma  D.  15  leads  to  the  result.  □ 

Lemma  D.17  (Canonical  forms) 

1.  lf\ k;  A;  •;  •;  •  T*  v  :  int  then  v  =  n. 

2.  //hk;  A;  h  t;  :  cr  at  rc  then  v  =  v.i. 

3.  If 'it:  A;  ■;  •;  ■  h  v  :  <7i  x  <72  f/;en  v  =  ( vi,v2 ). 

4.  //hk;  A;  •  hr  :  3t:n.a  then  v  =  (t  =  r,v' \a). 

5.  //r''k;A;-;-;  -  hr  :  3a:  A'. a  then  v  =  (a :  A'  =  ai,  u' :  cr2). 

6.  T/hk;  A;  •  hr  :  3r  £  A',  (a  at  r)  then 

v  =  {r  £  A'  —  p,  v'). 

7.  If  it:  A;  ■;  •;  ■  h  u  :  V[t]  [r]  (cr)  -A  0  r/ten  u  = 

8.  Ifi>:  A;  V[f:"k][r](CT)  0 

then  v  =  \[t\K][r\(x7ij).e. 

Proof  The  proof  follows  from  the  inspection  of  the  typing  rules 
for  values.  □ 

Proposition  D.18  (Progress)  If  \~  (AT,  e)  then  either  e  =  halt  v 
or  there  exists  a  (AI' ,  e1)  such  that  (AT,  e)  ==>  (AT',  e'). 

Proof  The  proof  is  by  induction  over  the  structure  of  e.  The 
ifreg  cases  follow  in  a  straightforward  way.  We  will  consider  only 
the  region  open  construct, 
case  open  v  as  (r,  x)  in  e:  We  know  that 

>k;  Dom(i>):  •;  •;  •  h-  open  v  as  (r,  x)  in  e 
This  means  that 

hk;  Dom(it)\  •;  •;  •  h  x  :  3r  £  A.(cr  at  r) 

By  lemma  D.17  we  get  that  w  =  (r  £  A  =  p,  u').  By  the  typing 
rule  for  region  packages,  we  get  that  p  £  Dom(it).  This  means 
that  p  —  v  for  some  v.  Therefore,  we  have  that 

\k;  Dom/vk);  •  h  open  (r  £  A  =  v,  v')  as  (r,  x)  in  e 

But  by  the  operational  semantics  this  goes  to  (AT,  e[v,  vr /r,  x]).  □ 
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